Got 10 VestaCP servers exploited

[talha]

think who have 100 of gbs files stored on the server (powered with vesta) and need to reinstall the OS :P god bless them.

Yeah! god bless them,
If anyone wants to backup files, if you have ftp access you can use https://www.multcloud.com/ , multcloud supports remote file transfer ftp to ftp or ftp to cloud drives. Google drive, dropbox, mega.nz(50gb), mediafire, amazondrive, pcloud etc. :) Transfer BW 2TB i think its enough and don't forget to backup also database files.

[lukapaunovic]

I can't believe that hours passed and that everyone is still repeatedly discovering things which were all clear to sane person 10 minutes after server hack.
Someone from staff should get server on ovh and setup Honeypot Vesta

[AKr0nizz]

Can confirm that situation. VPS is suspended because of spam.

Vesta version:
Version:0.9.8 (amd64)
Release:19

Hosting provider - Hostens.com

Logs provided by hoster:

--- Evidence ---

/usr/bin/qrttoppm
/usr/bin/yuvtoppm
/usr/bin/xbmtopbm

taip pat keli žalingi procesai eina iš roudcube,tiksliai sunku pasakyt kadangi kvm:

COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update 31830 root cwd DIR 8,1 4096 396760 /var/lib/roundcube
update 31830 root rtd DIR 8,1 4096 2 /
update 31830 root txt REG 8,1 625611 918560 /tmp/update
update 31830 root 0u CHR 1,3 0t0 6 /dev/null
update 31830 root 1u CHR 1,3 0t0 6 /dev/null
update 31830 root 2u CHR 1,3 0t0 6 /dev/null
update 31830 root 3u IPv4 7540080 0t0 TCP 13e5.k.hostens.cloud:57616->209.141.61.140:smtp (ESTABLISHED)
update 31830 root 41r FIFO 0,10 0t0 4447782 pipe
update 31830 root 42w FIFO 0,10 0t0 4447782 pipe
update 31830 root 43r FIFO 0,10 0t0 4447783 pipe
update 31830 root 44w FIFO 0,10 0t0 4447783 pipe

--- Evidence ---

[imperio]

Who want provide access to hacked server?
Please, send access via [email protected]

[lukapaunovic]

@imperio


I do not know how u don't realize that no provider will allow hacked server running. i barely convinced ovh to get it up for 10 mins so I can backup data

[AKr0nizz]

Check email, ive sent it for you.

Respond if you recieved!

[imperio]

Check email, ive sent it for you.

Respond if you recieved!

Thanks. We will check it

[AKr0nizz]

Check email, ive sent it for you.

Respond if you recieved!

Thanks. We will check it

Note, that server can be suspended anytime.
Good luck and let us know if you find something.

[lukapaunovic]

@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards

[StudioMaX]

A few more logs provided by the hosting support at the time when the server was active

Code: Select all

[root@mail /]# lsof -p 985
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
update 985 root cwd DIR 182,178001 4096 786628 /usr/share/roundcubemail
update 985 root rtd DIR 182,178001 4096 2 /
update 985 root txt REG 182,178001 625611 659895 /tmp/update
update 985 root 0u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 1u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 2u CHR 1,3 0t0 3390808082 /dev/null
update 985 root 3u IPv4 1473993150 0t0 UDP *:42651
update 985 root 4u IPv4 1473990633 0t0 UDP *:36423
update 985 root 69r FIFO 0,8 0t0 188493315 pipe
update 985 root 70w FIFO 0,8 0t0 188493315 pipe
update 985 root 71r FIFO 0,8 0t0 188493316 pipe
update 985 root 72w FIFO 0,8 0t0 188493316 pipe
update 985 root 77r CHR 1,9 0t0 3390808086 /dev/urandom

I had the same processes as AKr0nizz. Also, the working directory of the virus was /usr/share/roundcubemail. This is somehow related to Roundcube.

I have now looked the Roundcube repository on the GitHub and found this recent security issue. But I don't know how this can be related to our servers.