We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
When is version 0.9.8-20 going to be uploaded to the Debian 9 repo, ever other version Debain and Ubuntu got the 0.9.8-20 version of Vesta.
Got the version each from the repo using
Got the version each from the repo using
Code: Select all
for i in wheezy jessie stretch quantal raring saucy utopic vivid wily trusty; do echo "$i:" $(curl -s http://apt.vestacp.com/$i/dists/$i/vesta/binary-amd64/Packages|grep -A1 "Source: vesta"|tail -n 1|awk '{print $2'}) ; done|sort -t: -k2
Code: Select all
stretch: 0.9.8-19
jessie: 0.9.8-20
quantal: 0.9.8-20
raring: 0.9.8-20
saucy: 0.9.8-20
trusty: 0.9.8-20
utopic: 0.9.8-20
vivid: 0.9.8-20
wheezy: 0.9.8-20
wily: 0.9.8-20
Re: Got 10 VestaCP servers exploited
it's on new clean server, now it's inside /tmp:
Code: Select all
ls -l /tmp
total 12
drwx------ 3 root root 4096 Apr 9 21:23 systemd-private-563862e74418482aa1f5132158a1ffff-dovecot.service-4eioQZ
drwx------ 3 root root 4096 Apr 9 21:23 systemd-private-563862e74418482aa1f5132158a1ffff-systemd-timesyncd.service-n4CfUC
-rw------- 1 root root 1961 Apr 9 21:27 tmp.bv84E5EAhS
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
Hey I just checked i have those too on freshly installed vesta which port wasnt exposed to public for even a minute.Gluek wrote: ↑Mon Apr 09, 2018 6:52 pmit's on new clean server, now it's inside /tmp:
outgoing traffic started at 20:40Code: Select all
ls -l /tmp total 12 drwx------ 3 root root 4096 Apr 9 21:23 systemd-private-563862e74418482aa1f5132158a1ffff-dovecot.service-4eioQZ drwx------ 3 root root 4096 Apr 9 21:23 systemd-private-563862e74418482aa1f5132158a1ffff-systemd-timesyncd.service-n4CfUC -rw------- 1 root root 1961 Apr 9 21:27 tmp.bv84E5EAhS
good news is this is not infection if UPDATE file is not present within tmp folder.
Code: Select all
ls systemd*/tmp
systemd-private-634d8e53eac54fd7911188ef97351c9b-chronyd.service-Cal8wF/tmp:
systemd-private-634d8e53eac54fd7911188ef97351c9b-dovecot.service-ROfyMr/tmp:
systemd-private-634d8e53eac54fd7911188ef97351c9b-exim.service-xIxlsJ/tmp:
systemd-private-634d8e53eac54fd7911188ef97351c9b-httpd.service-E6OwxB/tmp:
systemd-private-634d8e53eac54fd7911188ef97351c9b-named.service-fBgXxQ/tmp:
systemd-private-634d8e53eac54fd7911188ef97351c9b-nginx.service-4i1JXa/tmp:
AS you can see they are all empty on previously hacked server UPDATE file was present
Last edited by lukapaunovic on Mon Apr 09, 2018 7:10 pm, edited 1 time in total.
Re: Got 10 VestaCP servers exploited
This helped me clean up the trojan and backup my stuff from an infected VPS:Gluek wrote: ↑Mon Apr 09, 2018 6:36 pmGot hacked on DO, then migrated to another provider, new clean VDS with fresh Vesta install just got 100% CPU load with 5k iops disk and 400 mbit net - so I even can't login via ssh. Rebooted... Now trying to detect what was wrong. P.S. ssh only with keys, no root login.
Code: Select all
#boot the VPS, log in ASAP and then:
#check your max # of connections for future reference:
sysctl net.netfilter.nf_conntrack_max
#limit max # of connections to something super low
sysctl net.netfilter.nf_conntrack_max=1200
#save your current iptables rules
iptables-save > rules.ip4
#load up a blank set of rules which will only allow traffic from your IP
iptables-restore emergency.ip4
Code: Select all
#emergency stuff
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT DROP
-A INPUT -s YOUR_IP_NOT_SERVER'S -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -d YOUR_IP_NOT_SERVER'S -j ACCEPT
#optionally allow domain resolution, or change the IPs to ones from /etc/resolv.conf or repo IPs or whatever it is you want to do while in emergency mode, but the above will allow rsync and will avoid getting your VPS suspended as a DDOS source
-A INPUT -s 84.200.69.80 -j ACCEPT
-A INPUT -s 84.200.70.40 -j ACCEPT
-A OUTPUT -d 84.200.69.80 -j ACCEPT
-A OUTPUT -d 84.200.70.40 -j ACCEPT
COMMIT
The reason I didn't address ipv6 is because this DDOS seems to only utilize ipv4. You can simply set the default policy to DROP of ip6tables as well if you want.
Last edited by really on Mon Apr 09, 2018 10:14 pm, edited 1 time in total.
-
- Posts: 12
- Joined: Tue Jan 16, 2018 2:58 am
- Os: CentOS 6x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
i didnt have any problems untill i ran the update this morning .. a few min. ago i got an email from my VPS host (OVH) that my VPS has been suspended.
From: OVH Support
Dear Customer,
Abnormal activity has been detected on your VPS .
As this constitutes a breach of contract, your virtual server
has been blocked.
You will find the logs brought up by our system below, which led to this alert.
OVH Customer Support.
OVH Support
Call us at: 1-855-OVH-LINE (684-5463)
24/7/365
[ref=1.661c9fff]
From: OVH Support
Dear Customer,
Abnormal activity has been detected on your VPS .
As this constitutes a breach of contract, your virtual server
has been blocked.
You will find the logs brought up by our system below, which led to this alert.
Code: Select all
- START OF ADDITIONAL INFORMATION -
Attack detail : 10Kpps/71Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags packets bytes reason
2018.04.09 19:34:51 CEST MY_VPS_IP:1813 59.56.66.67:8811 TCP SYN 2048 1828864 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:43509 59.56.66.67:8811 TCP SYN 2048 1820672 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:57337 59.56.66.67:8811 TCP SYN 2048 1894400 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:57087 59.56.66.67:8811 TCP SYN 2048 1839104 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:51152 59.56.66.67:8811 TCP SYN 2048 1824768 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:28409 59.56.66.67:8811 TCP SYN 2048 1900544 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:60568 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:38289 59.56.66.67:8811 TCP SYN 2048 1902592 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:25782 59.56.66.67:8811 TCP SYN 2048 1867776 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:28951 59.56.66.67:8811 TCP SYN 2048 1873920 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:5011 59.56.66.67:8811 TCP SYN 2048 1865728 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:2420 59.56.66.67:8811 TCP SYN 2048 1828864 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:19935 59.56.66.67:8811 TCP SYN 2048 1910784 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:56914 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:55014 59.56.66.67:8811 TCP SYN 2048 1884160 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:17569 59.56.66.67:8811 TCP SYN 2048 1896448 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:64671 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:17837 59.56.66.67:8811 TCP SYN 2048 1837056 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:60514 59.56.66.67:8811 TCP SYN 2048 1875968 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:9150 59.56.66.67:8811 TCP SYN 2048 1845248 ATTACK:TCP_SYN
- END OF ADDITIONAL INFORMATION -
OVH Support
Call us at: 1-855-OVH-LINE (684-5463)
24/7/365
[ref=1.661c9fff]
Last edited by BartMan__X on Mon Apr 09, 2018 11:15 pm, edited 1 time in total.
Re: Got 10 VestaCP servers exploited
Why debian 0.9 cannot to see the update?Razza wrote: ↑Mon Apr 09, 2018 6:46 pmWhen is version 0.9.8-20 going to be uploaded to the Debian 9 repo, ever other version Debain and Ubuntu got the 0.9.8-20 version of Vesta.
Got the version each from the repo usingCode: Select all
for i in wheezy jessie stretch quantal raring saucy utopic vivid wily trusty; do echo "$i:" $(curl -s http://apt.vestacp.com/$i/dists/$i/vesta/binary-amd64/Packages|grep -A1 "Source: vesta"|tail -n 1|awk '{print $2'}) ; done|sort -t: -k2
Code: Select all
stretch: 0.9.8-19 jessie: 0.9.8-20 quantal: 0.9.8-20 raring: 0.9.8-20 saucy: 0.9.8-20 trusty: 0.9.8-20 utopic: 0.9.8-20 vivid: 0.9.8-20 wheezy: 0.9.8-20 wily: 0.9.8-20
Re: Got 10 VestaCP servers exploited
It appears that DigitalOcean did a blanket outgoing traffic block on servers using VestaCP (at least in my NYC-3 sector), even if they weren't compromised. Thankfully, I wasn't compromised, but my applications were broke by the outgoing traffic block (things like recaptcha, and some others). This has brought my dissatisfaction with DigitalOcean, as well as VestaCP. Why should an unaffected server have restrictions enforced upon it? And I understand that this is open source and security vulnerabilities will always come about, but damn....