Got 10 VestaCP servers exploited

[lukapaunovic]

I reinstalled on Sunday. New OS Installed Patch.
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?

Before u rebuild server check which version of vestacp are u using.
as I see you are probably on ubuntu?

[whitewind2]

I reinstalled on Sunday. New OS Installed Patch.
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?

Before u rebuild server check which version of vestacp are u using.
as I see you are probably on ubuntu?

It's on Digital Ocean, and I only have limited console access to it, is there a command line way to check or a file? Yes it's on a newly installed Ubuntu 16.04.4 OS

[lukapaunovic]

I reinstalled on Sunday. New OS Installed Patch.
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?

Before u rebuild server check which version of vestacp are u using.
as I see you are probably on ubuntu?

It's on Digital Ocean, and I only have limited console access to it, is there a command line way to check or a file? Yes it's on a newly installed Ubuntu 16.04.4 OS

Yes try this

Code: Select all

cat /usr/local/vesta/src/deb/vesta/control | grep Version

[whitewind2]

Before u rebuild server check which version of vestacp are u using.
as I see you are probably on ubuntu?

It's on Digital Ocean, and I only have limited console access to it, is there a command line way to check or a file? Yes it's on a newly installed Ubuntu 16.04.4 OS

Yes try this

Code: Select all

cat /usr/local/vesta/src/deb/vesta/control | grep Version

Release 19 Version 0.9.8 but I did do the update after the install and I thought the Console when I had it showed release 20...
Not sure if it helps put update in /tmp is Apr 5 13:05 which is before server build
Also a file called e.mysql in /tmp 0 bytes is time stamped around the time of the network traffic.

[lukapaunovic]

It's on Digital Ocean, and I only have limited console access to it, is there a command line way to check or a file? Yes it's on a newly installed Ubuntu 16.04.4 OS

Yes try this

Code: Select all

cat /usr/local/vesta/src/deb/vesta/control | grep Version

Release 19 Version 0.9.8 but I did do the update after the install and I thought the Console when I had it showed release 20...
Not sure if it helps put update in /tmp is Apr 5 13:05 which is before server build
Also a file called e.mysql in /tmp 0 bytes is time stamped around the time of the network traffic.

So when you ran

Code: Select all

cat /usr/local/vesta/src/deb/vesta/control | grep Version

you got

Code: Select all

Version: 0.9.8-19

?
that means you were running vuln version.

You can update from github after you install again

For ubuntu: apt install git -y
for centos: yum install git -y

I would recommend you to use CentOS instead of ubuntu because it's much more stable and better with vestacp

Code: Select all

cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
yes | /usr/bin/cp -rf vesta/* /usr/local/vesta

[yoko eagle]

I reinstalled on Sunday. New OS Installed Patch.
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?

If you on digitalocean follow steps in this post, ubuntu have similar command line with debian.
viewtopic.php?f=10&t=16556&start=460#p69440

[dpeca]

Until now here is what I found as "strange" queries on 8083 port:

Code: Select all

46.161.55.106 - - [09/Apr/2018:10:03:33 +0200] "GET /_asterisk/ HTTP/1.1" 404 658 "-" "python-requests/2.18.4"

118.139.177.119 - - [10/Apr/2018:09:54:58 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
193.70.85.110 - - [10/Apr/2018:18:53:03 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
192.169.226.71 - - [10/Apr/2018:22:03:17 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"

5.39.223.84 - - [11/Apr/2018:08:11:45 +0000] "\x03\x00\x00*%\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Test" 400 166 "-" "-"
5.39.223.84 - - [11/Apr/2018:08:11:45 +0000] "\x03\x00\x00*%\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Test" 400 166 "-" "-"

198.27.126.93 - - [10/Apr/2018:16:02:55 +0200] HEAD /manager/html HTTP/1.0 "302" 0 "-" "-" "-"
62.212.73.238 - - [11/Apr/2018:11:19:54 +0200] GET /recordings//theme/main.css HTTP/1.1 "302" 154 "-" "curl/7.29.0" "-"
62.212.73.238 - - [11/Apr/2018:11:19:56 +0200] GET /recordings//theme/main.css HTTP/1.1 "404" 1254 "-" "curl/7.29.0" "-"

[imperio]

Code: Select all

"GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
GET /w00tw00t.at.ISC.SANS.DFind:)

looks like vulnerability scanner

[deanhills]

Hello All,
Watching the thread since Saturday and also had 1 server infected out of 15. After working hard since Sunday I am now ready to explain few things to everyone here and share my experience which might help people facing issues. Just for the people who are not technical enough and running the server which is infected and need someone to help please let me know and I will help. There will be no charges for fixing the server.

Every piece of software out there have some vulnerabilities like Microsoft , Facebook ,Cpanel, Plesk all so no need to blame vestacp.

I am now running a new server with latest vestacp since last 24 hours and no infection yet nor any alarm for the same.
Here are the steps to make sure you are secure
1) If the server is infected move to a new server, you just cant trust the old one.
2) Once the new server is installed and up running change the vestacp port to anything you want in the file /usr/local/vesta/nginx/conf/nginx.conf search for 8083 and change it. Make sure you open the new port in your firewall.
3) Run SSH on different port and if possible use keys. Disable root logins as well
5) Download Linux Environment Security https://www.rfxn.com/projects/linux-env ... -security/ and run it
6) Download Linux malware detect http://www.rfxn.com/downloads/maldetect-current.tar.gz and once installed run maldet -a / and see the report after that run it in monitor mode maldet --monitor / (make sure you make changes in /usr/local/maldet.conf and enter your email id to see the reports in your email)
7) This is the most important thing - Install config server firewall from https://configserver.com/cp/csf.html. This is the most important script for securing the server. On one of my server csf was installed and it didnt get infected cause csf marked it a suspicious file and disabled all the binaries and sent an alert to me. Read the conf file carefully and enable the rules as needed most importantly enable DIR watch and FILE watch. If need help please do let me know I will provide my csf conf file.
8) Block CN (China) in firewall if you do not have customers from that country.
9) To track outgoing traffic install ntopng the best traffic monitoring app.
Cause of above I didnt see any infection however seeing lots of blocked IPs :)

Hope this will help you all !!

Thank you of thinking of those who aren't experienced systems admin. I'm particularly grateful for your tips about CSF. We've got this installed on WHM and it is definitely worth installing.

This thread is worth its gold in all of the security recommendations - one can write a huge tutorial with it. I'm still worried though as I'm not confident that the source of the security breach has been clearly identified yet. So I'm going to wait a while before I install anything. Then refer back to this thread.

[kobo1d]

Thank you of thinking of those who aren't experienced systems admin. I'm particularly grateful for your tips about CSF. We've got this installed on WHM and it is definitely worth installing.

This thread is worth its gold in all of the security recommendations - one can write a huge tutorial with it. I'm still worried though as I'm not confident that the source of the security breach has been clearly identified yet. So I'm going to wait a while before I install anything. Then refer back to this thread.

i wrote down most important things from this thread about all different security things,
including stuff i had installed and configured which were not mentioned here yet.
i can try to make it a well to read compilation if anyones intrested.
right now its only some words and links :)