We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on Vesta 2.0 and expect to release it by the end of 2024. Read more about it: https://vestacp.com/docs/vesta-2-development
Got 10 VestaCP servers exploited
-
- Posts: 1
- Joined: Sun Apr 08, 2018 9:47 am
- Os: Debian 7x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
Sent you an email..imperio wrote: ↑Sun Apr 08, 2018 9:30 amWho want provide access to hacked server?
Please, send access via [email protected]
Re: Got 10 VestaCP servers exploited
Thank you
Re: Got 10 VestaCP servers exploited
looks siimilar with mine servers :StudioMaX wrote: ↑Sun Apr 08, 2018 9:55 amA few more logs provided by the hosting support at the time when the server was activeI had the same processes as AKr0nizz. Also, the working directory of the virus was /usr/share/roundcubemail. This is somehow related to Roundcube.Code: Select all
[root@mail /]# lsof -p 985 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME update 985 root cwd DIR 182,178001 4096 786628 /usr/share/roundcubemail update 985 root rtd DIR 182,178001 4096 2 / update 985 root txt REG 182,178001 625611 659895 /tmp/update update 985 root 0u CHR 1,3 0t0 3390808082 /dev/null update 985 root 1u CHR 1,3 0t0 3390808082 /dev/null update 985 root 2u CHR 1,3 0t0 3390808082 /dev/null update 985 root 3u IPv4 1473993150 0t0 UDP *:42651 update 985 root 4u IPv4 1473990633 0t0 UDP *:36423 update 985 root 69r FIFO 0,8 0t0 188493315 pipe update 985 root 70w FIFO 0,8 0t0 188493315 pipe update 985 root 71r FIFO 0,8 0t0 188493316 pipe update 985 root 72w FIFO 0,8 0t0 188493316 pipe update 985 root 77r CHR 1,9 0t0 3390808086 /dev/urandom
I have now looked the Roundcube repository on the GitHub and found this recent security issue. But I don't know how this can be related to our servers.
Code: Select all
374491 nginx nginx: worker process
374492 nginx nginx: worker process
374493 nginx nginx: worker process[size=200][/size]
374494 nginx nginx: worker process
374495 nginx nginx: cache manager process
411496 named /usr/sbin/named -u named -c /etc/named.conf
489055 httpd /usr/sbin/httpd -DFOREGROUND
504853 httpd /usr/sbin/httpd -DFOREGROUND
1009543 config dovecot/config
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
1019355 update cat resolv.conf
1033960 qlzdmvoutu cat resolv.conf
1033961 qlzdmvoutu uptime
1033968 qlzdmvoutu top
1033970 qlzdmvoutu gnome-terminal
1033973 qlzdmvoutu pwd
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Re: Got 10 VestaCP servers exploited
Yeah, but ftp only mode is also suitable for getting all necessary backups.lukapaunovic wrote: ↑Sun Apr 08, 2018 9:50 am@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
Re: Got 10 VestaCP servers exploited
you can't retrieve mysql dump from ftp if user doesn't have backup.AKr0nizz wrote: ↑Sun Apr 08, 2018 10:07 amYeah, but ftp only mode is also suitable for getting all necessary backups.lukapaunovic wrote: ↑Sun Apr 08, 2018 9:50 am@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
Re: Got 10 VestaCP servers exploited
If your database server is up, you can use heidisql to backup sql files.sandy wrote: ↑Sun Apr 08, 2018 10:08 amyou can't retrieve mysql dump from ftp if user doesn't have backup.AKr0nizz wrote: ↑Sun Apr 08, 2018 10:07 amYeah, but ftp only mode is also suitable for getting all necessary backups.lukapaunovic wrote: ↑Sun Apr 08, 2018 9:50 am@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
Re: Got 10 VestaCP servers exploited
Yeah, it is quite complex.sandy wrote: ↑Sun Apr 08, 2018 10:08 amyou can't retrieve mysql dump from ftp if user doesn't have backup.AKr0nizz wrote: ↑Sun Apr 08, 2018 10:07 amYeah, but ftp only mode is also suitable for getting all necessary backups.lukapaunovic wrote: ↑Sun Apr 08, 2018 9:50 am@AKr0nizz
Thats exactly the problem why it hasn't been figured out yet. Providers give some creepy read only ftp mode which is useless and they won't let server run for 10 min cuz they are cowards
But if you have FTP access as root to the server, your MySQL DBs are stored here:
/var/lib/mysql/
Re: Got 10 VestaCP servers exploited
did you checked its only read only mode
Re: Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
i didn't understand if vestacp team already gotten SOME BUNCH OF HACKED SERVER FOR TESTING why they are still resting ?