Got 10 VestaCP servers exploited

[sandy]

sandy can you check [email protected]
i'm waiting for more than 20 minutes.
I sent you access to hacked server.
serghey is not online so he can't look into it.
can anyone from vesta look into it. the disk is mounted it's in rescue mode.

sorry i'm not from vesta, from else where

[lukapaunovic]

damn i mistaken u for this other member

[StudioMaX]

A bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00

I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56

In SQL dump of this "session" table from "roundcube" database I found new session at the same time:

Code: Select all

INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('ajhkl541vskuji31ss3tadl7gc',	'2018-04-04 16:24:54',	'119.82.29.17',	'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');

119.82.29.17 - looks like attacker's or bot's IP

But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01

Code: Select all

INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('1a6f1ft5oo732eju8p6mldlag1',	'2018-03-24 23:02:01',	'119.82.29.17',	'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');

All other tables in "roundcube" database were empty (since I do not use Roundcube).

I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.

[lukapaunovic]

was the vesta service stopped when new server got breached?

[sandy]

was the vesta service stopped when new server got breached?

no, but server hangs because of outbound ddos

[lukapaunovic]

Hey yes you are right the session in roundcube file editing time coresponds with /etc/init.d/update

[ivcha92]

Hi i just send access to readonly ftp to [email protected]

My serves is on OVH and its in rescue64-ftp mode. Haven't contacted them yes. Has anyone been able to reactivate the server on OVH ? I am still waiting to get to bottom of the issue so when I contact them to know the exact details of the issue.

[lukapaunovic]

Hey here are affected files in that time range see

[sandy]

Hi i just send access to readonly ftp to [email protected]

My serves is on OVH and its in rescue64-ftp mode. Haven't contacted them yes. Has anyone been able to reactivate the server on OVH ? I am still waiting to get to bottom of the issue so when I contact them to know the exact details of the issue.

only way to backup your data and reinstall the server OS.

[StudioMaX]

Also I have good news: I binary compared all the files in two backups of the whole server, one from 03-04-2018 (before infection), the other from 07-04-2018. And it seems that this exploit did not modify any system files, but only created these:

Code: Select all

/etc/cron.hourly/gcc.sh
/etc/rc.d/init.d/update
/etc/rc.d/rc1.d/S90update
/etc/rc.d/rc2.d/S90update
/etc/rc.d/rc3.d/S90update
/etc/rc.d/rc4.d/S90update
/etc/rc.d/rc5.d/S90update
/usr/lib/libudev.so
/tmp/update

But in any case, if your server was infected, you will need to reinstall it.