Got 10 VestaCP servers exploited

[SS88]

@StudioMaX

That's what I'm looking for the how to. lol

Edit this file: /usr/local/vesta/web/api/index.php

Add this in line 3:

Code: Select all

file_put_contents('/tmp/postlog.txt', print_r($_POST, true));

[crackerizer]

@SS88, Thanks for you suggestion.

Guys, I think the guy from the IP in my previous post is also observing this forum. I should have been more careful posting the IP address. I think he might have already removed my IP from his exploited pool.

Is there any safer channel we can discuss?

[lukapaunovic]

Remove virus he injected and he'll try again. At least we know vuln is in API now

[SS88]

By looking at the file he's restricted to /usr/local/vesta/bin/

Can you send a list of files you have in that directory to see if the exploit is in the current code, or perhaps he added his own file with unrestricted access.

Have you added any third party scripts such as App Installers? Usually these also add their own file to /usr/local/vesta/bin/

[Prime]

I'm setting up a Honeypot server on a VPS right now and we'll see how it goes. I'm not very hopeful as my other installation of Vesta is running behind same network and wasn't attacked.

[ivcha92]

$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)


Just checked Vesta API. Haven't tested yet but it might be a way to inject shell command in "password" parameter of post request since it is not escaped with escapeshellarg(). Will try to test it out on my other server to see if this may be an issue

[lukapaunovic]

@dpeca brother found out this

https://github.com/serghey-rodin/vesta/ ... ex.php#L71

Unescaped

[MAN5]

@SS88, Thanks for you suggestion.

Guys, I think the guy from the IP in my previous post is also observing this forum. I should have been more careful posting the IP address. I think he might have already removed my IP from his exploited pool.

Is there any safer channel we can discuss?

VestaTeam. Please remove this entry. so hopes, the hacker should not know this entry..

[SS88]

$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)


Just checked Vesta API. Haven't tested yet but it might be a way to inject shell command in "password" parameter of post request since it is not escaped with escapeshellarg(). Will try to test it out on my other server to see if this may be an issue

Quite right I think +1, plus reference for use of 'buggy' escapeshellarg: https://gist.github.com/Zenexer/40d02da ... a11af9ab36

[imperio]

All security information you can sending via [email protected]