Got 10 VestaCP servers exploited

[lukapaunovic]

Its on GitHub

https://github.com/serghey-rodin/vesta/ ... e359cda7dd

It will be on main servers soon
To update now from GitHub:

cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
yes | /usr/bin/cp -rf vesta/* /usr/local/vesta
service vesta restart

install GIT before this

[SS88]

Its on GitHub

https://github.com/serghey-rodin/vesta/ ... e359cda7dd

It will be on main servers soon
To update now from GitHub:

cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
yes | /usr/bin/cp -rf vesta/* /usr/local/vesta

install GIT before this

Has it been tested as requested by Serghey (I don't have time until tomorrow)? I have implemented the previous patch across servers to secure the password input.

[imperio]

Need some tests

[lukapaunovic]

The previous patch is practically useless
hacker only can insert another pair of quotes and viola
This way with hashed input before passing it anywhere is safest.
You can test it on your test servers if u have any. You can try logging with multiples users using multiple hashing types. Code looks fine by me.
But I'm not in pc to test it. As I'm doing everything from mobile this all started when I arrived to my vacation

[codycook]

I updated bin, func, src, and web from master. What is the way to test if it works or not?

[lukapaunovic]

If login & api work fine it should be ok.

Another pair of eyes will check soon. But everything seems fine.

[skid]

The fix has been released just now!
As usually there are 3 ways to update your server:

1. Via web interface
- Login as admin
- Go to updates tab
- Click un update button under vesta package

2. Via package manager
- SSH as root to your server
- yum update / apt-get update && apt-get upgrade

3. Via GitHub
- SSH as root
- Install git / yum install git /apt-get install git
- Then run following commands

Code: Select all

cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
/bin/cp -rf vesta/* /usr/local/vesta/

Some information about this indecent. We still don't have working exploit for previous version. But we know for sure that the vector of attack was through a potentially unsecure password check method. Therefore we have completely rewrite password auth function. It's bullet proof now!

Please upgrade your servers as soon as possible.

[pipoy]

The fix has been released just now!
As usually there are 3 ways to update your server:

1. Via web interface
- Login as admin
- Go to updates tab
- Click un update button under vesta package

2. Via package manager
- SSH as root to your server
- yum update / apt-get update && apt-get upgrade

3. Via GitHub
- SSH as root
- Install git / yum install git /apt-get install git
- Then run following commands

Code: Select all

cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
/bin/cp -rf vesta/* /usr/local/vesta/

Some information about this indecent. We still don't have working exploit for previous version. But we know for sure that the vector of attack was through a potentially unsecure password check method. Therefore we have completely rewrite password auth function. It's bullet proof now!

Please upgrade your servers as soon as possible.

Thanks

So just upgrade vesta?

No need to delete some files or viruses?

[imperio]

All virus procesess should be killed and files with virus should be deleted
https://superuser.com/questions/877896/ ... 24#1004724

[pipoy]

All virus procesess should be killed and files with virus should be deleted
https://superuser.com/questions/877896/ ... 24#1004724

Seems that mine did not.

I had a high CPU process which I just killed. and it leads to this directory right here

Code: Select all

find / -name *wnrkywzlgd*
/run/systemd/generator.late/runlevel5.target.wants/wnrkywzlgd.service
/run/systemd/generator.late/runlevel4.target.wants/wnrkywzlgd.service
/run/systemd/generator.late/runlevel3.target.wants/wnrkywzlgd.service
/run/systemd/generator.late/runlevel2.target.wants/wnrkywzlgd.service
/run/systemd/generator.late/rescue.target.wants/wnrkywzlgd.service
/run/systemd/generator.late/wnrkywzlgd.service
/usr/bin/wnrkywzlgd
/sys/fs/cgroup/systemd/system.slice/wnrkywzlgd.service
/etc/rc.d/init.d/wnrkywzlgd
/etc/rc.d/rc1.d/S90wnrkywzlgd
/etc/rc.d/rc2.d/S90wnrkywzlgd
/etc/rc.d/rc4.d/S90wnrkywzlgd
/etc/rc.d/rc6.d/K90wnrkywzlgd
/etc/rc.d/rc5.d/S90wnrkywzlgd
/etc/rc.d/rc3.d/S90wnrkywzlgd
/etc/rc.d/rc0.d/K90wnrkywzlgd

And there are 2 more

Code: Select all

lrwxrwxrwx 1 root root 20 Apr  9 06:43 K90nzwjjbnipz -> ../init.d/nzwjjbnipz
lrwxrwxrwx 1 root root 20 Apr  9 06:43 K90sgyronbqvp -> ../init.d/sgyronbqvp
lrwxrwxrwx 1 root root 20 Apr  8 20:01 K90wnrkywzlgd -> ../init.d/wnrkywzlgd

I am happy to delete these files if confirmed not from vesta