We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
yous said wonderful words, but and then how i got hacked i don't have roundcube if they are not sure please don't provide the answers yet, as we're frustrated and don't tolerate 101 different answers. Things can Be controlled when you've proper source
i have been hacked many times during past as those can be easily mitigated, this time you know how serious is it
i have been hacked many times during past as those can be easily mitigated, this time you know how serious is it
Last edited by sandy on Sun Apr 08, 2018 6:37 pm, edited 1 time in total.
Re: Got 10 VestaCP servers exploited
What's with your honeypot? Did you configured the logging of POST request?
Re: Got 10 VestaCP servers exploited
and who are you? freshly registered with only the three postings above, asking for access to user systems?nextgi wrote: ↑Sun Apr 08, 2018 6:18 pmAlright,
Another update. This issue seems to be with roundcube. We are not seeing any typical communications with VestaCPs admin interface that would indicate it was compromised. However, we are still investigating the issue.
For those of you that have compromised systems. We would love an opportunity to take a look at the logs and check similarities. Any volunteers feel free to pm us. We would gladly setup a conference call and check things out.
@people: don't give random strangers access to your systems, even broken ones!!
no offense meant, but have you even read the thread? while only you could not see the api of vesta to be accessed (because all vesta access logging goes to /dev/null per default) does not mean there was none.
on a honeypot with activated access logging api calls has been logged, so that this most likely is the real entry point.
as written earlier I also have seen some suspicious files/timestamps related to a single visible access of the /webmail/ url. yet without the chance to check matching log entries for the API there is nothing to analyze anyway.
I am quite certain that roundcube is not the cause but more likely the attack tried to interfere with it (through the api). maybe to get access or phish credentials or whatever - but that would only have happened _after_ the initial infection of the system.
BTW: was anyone able to fetch the POST data that's being submitted to the API with activated logging? I set up a honeypot myself, but who knows how fast it'll get tried again, if ever...
Re: Got 10 VestaCP servers exploited
https://www.virustotal.com/#/file/48343 ... /detection
This is for libudev.so, the infected version.
This is for libudev.so, the infected version.
Re: Got 10 VestaCP servers exploited
Your theory really doesn't make much sense at this point, as if Roundcube is at fault here, why is only installations with Vesta actively running on the system affected by this? All of us that have disabled Vesta services are yet to be affected and none of the other control panels like Plesk, Cpanel, Directadmin are affected by this. Worth to mention as well is that some hacks place files on the machine to actively mislead people and it seems like you did fall for the bait.
Last edited by Prime on Sun Apr 08, 2018 6:39 pm, edited 1 time in total.
Re: Got 10 VestaCP servers exploited
Unfortunately, we cannot provide our servers simply because they have either been blocked by the hosting support, or we have already reinstalled the operating system, or turned off the vesta service to prevent infection of the server.
Re: Got 10 VestaCP servers exploited
agree with youFalzo wrote: ↑Sun Apr 08, 2018 6:37 pmand who are you? freshly registered with only the three postings above, asking for access to user systems?nextgi wrote: ↑Sun Apr 08, 2018 6:18 pmAlright,
Another update. This issue seems to be with roundcube. We are not seeing any typical communications with VestaCPs admin interface that would indicate it was compromised. However, we are still investigating the issue.
For those of you that have compromised systems. We would love an opportunity to take a look at the logs and check similarities. Any volunteers feel free to pm us. We would gladly setup a conference call and check things out.
@people: don't give random strangers access to your systems, even broken ones!!
no offense meant, but have you even read the thread? while only you could not see the api of vesta to be accessed (because all vesta access logging goes to /dev/null per default) does not mean there was none.
on a honeypot with activated access logging api calls has been logged, so that this most likely is the real entry point.
as written earlier I also have seen some suspicious files/timestamps related to a single visible access of the /webmail/ url. yet without the chance to check matching log entries for the API there is nothing to analyze anyway.
I am quite certain that roundcube is not the cause but more likely the attack tried to interfere with it (through the api). maybe to get access or phish credentials or whatever - but that would only have happened _after_ the initial infection of the system.
BTW: was anyone able to fetch the POST data that's being submitted to the API with activated logging? I set up a honeypot myself, but who knows how fast it'll get tried again, if ever...
Re: Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
And your statement is very accurate. My wording was poor. More or less we need logs. As many as possible that is. You are also correct in relation to roundcube. We are just now investigating this. We do not run off of forum threads as our base of action. When investigating a threat, I like to reveal as much information as possible as it is flowing. We have positively identified the file that acts as the culprit in the dDOS attacks. We are now working to identify the method of injection. We will consider the API front. As users are reporting that even roundcube was removed or disabled, this would negate our working theory.Falzo wrote: ↑Sun Apr 08, 2018 6:37 pmand who are you? freshly registered with only the three postings above, asking for access to user systems?nextgi wrote: ↑Sun Apr 08, 2018 6:18 pmAlright,
Another update. This issue seems to be with roundcube. We are not seeing any typical communications with VestaCPs admin interface that would indicate it was compromised. However, we are still investigating the issue.
For those of you that have compromised systems. We would love an opportunity to take a look at the logs and check similarities. Any volunteers feel free to pm us. We would gladly setup a conference call and check things out.
@people: don't give random strangers access to your systems, even broken ones!!
no offense meant, but have you even read the thread? while only you could not see the api of vesta to be accessed (because all vesta access logging goes to /dev/null per default) does not mean there was none.
on a honeypot with activated access logging api calls has been logged, so that this most likely is the real entry point.
as written earlier I also have seen some suspicious files/timestamps related to a single visible access of the /webmail/ url. yet without the chance to check matching log entries for the API there is nothing to analyze anyway.
I am quite certain that roundcube is not the cause but more likely the attack tried to interfere with it (through the api). maybe to get access or phish credentials or whatever - but that would only have happened _after_ the initial infection of the system.
BTW: was anyone able to fetch the POST data that's being submitted to the API with activated logging? I set up a honeypot myself, but who knows how fast it'll get tried again, if ever...
As I have stated many times already, this is a working theory. I would like to work with a few others that currently checking this out.
WE DO NOT NEED ACCESS TO YOUR SYSTEMS!!!!!! We just want logs and as much information as possible.
Re: Got 10 VestaCP servers exploited
Thank you StudioMaX for sharing this helpful info.
StudioMaX wrote: ↑Sun Apr 08, 2018 12:06 pmAlso I have good news: I binary compared all the files in two backups of the whole server, one from 03-04-2018 (before infection), the other from 07-04-2018. And it seems that this exploit did not modify any system files, but only created these:But in any case, if your server was infected, you will need to reinstall it.Code: Select all
/etc/cron.hourly/gcc.sh /etc/rc.d/init.d/update /etc/rc.d/rc1.d/S90update /etc/rc.d/rc2.d/S90update /etc/rc.d/rc3.d/S90update /etc/rc.d/rc4.d/S90update /etc/rc.d/rc5.d/S90update /usr/lib/libudev.so /tmp/update