Got 10 VestaCP servers exploited

[lukapaunovic]

After this the best thing to do is to get backups and reinstall server and restore it
It's hassle free and you'll keep peace of mind

[ivcha92]

Just did an update using CLI please note that /usr/local/vesta/nginx/nginx.conf was not updated

Access log should be manualy enabled after update for easier debugging in future

[pipoy]

everything is still the same with my server.

I already deleted /lib/libudev.so and gcc.sh it just keeps coming back

and these random letters in /etc/init.d

[imperio]

I already deleted /lib/libudev.so and gcc.sh it just keeps coming back

try to search and kill active virus process (procesess)

[pipoy]

I already deleted /lib/libudev.so and gcc.sh it just keeps coming back

try to search and kill active virus process (procesess)

Thanks.

I chmod 0000 first the libudev.so before removing it like what your link said.

Removing it head on will just instantly generate a new one.

Looks like that my server is stable now. Ill give update to this thread.

[Razza]

Version 0.9.8-20 Dose not seem to be released for Debain 9.

Code: Select all

apt-get -qq update &&apt-cache show vesta|grep "Version"
Version: 0.9.8-19

[crackerizer]

Updated to V20 but still monitoring.

for the POST log, it seems like the hacker removed my IP from his pool. No trace of access from him since.

[pipoy]

I am also monitoring. 1 hr after, so far so good.

Im not sure if I was out of his pool, but definitely the viruses are not replicating itself anymore.

How did someone knew the people who uses vestacp anyway?

[dpeca]

For those people that want to help us with honeypots.

In /usr/local/vesta/web/api/index.php
after first line, please add this line:

Code: Select all

file_put_contents('/tmp/postlog.txt', 'API: '.$_SERVER["REMOTE_ADDR"] . ' = ' .  print_r($_POST, true), FILE_APPEND);

In /usr/local/vesta/web/login/index.php
after first line, please add this line:

Code: Select all

file_put_contents('/tmp/postlog.txt', 'LOGIN: '.$_SERVER["REMOTE_ADDR"] . ' = ' .  print_r($_POST, true), FILE_APPEND);

Then, via SSH, do

Code: Select all

tailf /tmp/postlog.txt

from your computer (or from other server), and when you see strange codes send us to [email protected]

DO NOT this on production servers (because file will contains all passwords and file will be readable for any user on server)

[Mag37]

I everyone I just want to ask few simple questions :

• Were any of the VestCP install on HTTPS ?

• Is it a good idea to change VestaCP port 8083 ? (= stealth mode)

My instalation is and did not get hacked (I have turned it off as I write)
I am on Ubuntu 16.04 - Apache Nginx
the entire install is on https (letsencrypt)
One note with my install is that Roundcube does not function at this time
database connection error... Will fix that later

I have turn off my server at this time. Will upgrade ASAP

Thanks and good Luck guys

PS: my Host emailed me about this issue.