Got 10 VestaCP servers exploited

[dpeca]

Well,

Im glad we are making full circle on our original working theory lol.

We have documented proof that the correlation between the url http://<your ip>/webmail was the vector entry point on the systems we have been examining. It may not be roundcube specific, we have yet to determine this. It may be a combined vector attack in which it leverages vesta and roundcube. However, in some situations roundcube and access to the webmail path were removed/disabled. So, this would lean towards possibly Apache? nginx? We are still investigating our selves. For those whom had access to port 8083 change and completely block in some cases has lead us to believe it was not, at least solely, reliant on VestaCPs api.

what about percents of distributions that are used on infected servers?

[RevengeFNF]

Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.

I'll send off more once they fix those.

This is Patrick from Rack911 Labs, a Software Security Auditing company.

[remontti]

Locate the file / process

Code: Select all

   lsof -i |grep smtp

ersjbxirbj 5461 root 3u IPv4 107136 0t0 TCP host.dom.br:35112->192.126.118.127:smtp

Scan with

Code: Select all

   clamscan -r -i /usr

/usr/bin/ersjbxirbj: Unix.Trojan.DDoS_XOR-1 FOUND

Change the FILE variable to the file/process name. Copy and paste running at one time

Code: Select all

   FILE=ersjbxirbj

   chmod 0 /lib/libudev.so
   echo '0' > /lib/libudev.so
   pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
   rm /etc/cron.hourly/gcc.sh
   pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
   rm /etc/init.d/$FILE
   pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
   rm /etc/rc1.d/S90$FILE
   rm /etc/rc2.d/S90$FILE
   rm /etc/rc3.d/S90$FILE
   rm /etc/rc4.d/S90$FILE
   rm /etc/rc5.d/S90$FILE
   pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
   rm /run/systemd/generator.late/graphical.target.wants/$FILE.service
   pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
   rm /run/systemd/generator.late/multi-user.target.wants/$FILE.service
   pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
   rm /run/systemd/generator.late/rescue.target.wants/$FILE.service
   pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
   rm /run/systemd/generator.late/$FILE.service
   SHELL=/bin/sh
   PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
   pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
   echo '0' > /usr/bin/$FILE
   rm /usr/bin/$FILE
   rm /lib/libudev.so
   reboot

Hope this helps!

[kobo1d]

Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.

I'll send off more once they fix those.

This is Patrick from Rack911 Labs, a Software Security Auditing company.

good work! he is doing that for free?
must be some nice guy :)

[nextgi]

Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.

I'll send off more once they fix those.

This is Patrick from Rack911 Labs, a Software Security Auditing company.

good work! he is doing that for free?
must be some nice guy :)

This is pretty cool. Now, I do have one question. Are these exploits focused on the control panel? I would imagine so. Which would mean we still need to dig and find the root cause. None the less, still pretty awesome we have an additional set of eyes submitting vulnerabilities.

As for the survey... We are reviewing the responses and will provide feedback to the group soon. Thank you for your submissions.

[dpeca]

I, personally, have one question for all administrators whose server got hacked.

Did you disabled dangerous PHP functions (like shell_exec(), system() and exec()) with "disable_functions" in php.ini ?

[mehargags]

I, personally, have one question for all administrators whose server got hacked.

Did you disabled dangerous PHP functions (like shell() and exec()) with "disable_functions" in php.ini ?

Well, I did not disable them...BUT I also have a counter question: Vesta's internal PHP is different than systemwide PHP... right ? so if someone got an entry point in VestaCP, what difference will it make if we have exec() or shell() functions disabled on the web/cli PHP ?

[dpeca]

There is no difference, and Vesta PHP even can not disable those functions, because web interface of VestaCP will not work then.

My starting point is that maybe, hacker first compromised any site that is hosted on that server.
With enabled exec() and shell_exec() PHP functions maybe it's possible to get higher user level (admin or root) and compromise whole server then...

I will suggest to Serghey that we disable dangerous functions in php.ini by default (during Vesta installation).

Having enabled PHP functions like exec() and shell_exec() is the same as giving SSH to PHP scripts.
And PHP level is easy to hack if you host outdated WordPress, Joomla and their plugins.

Yes, it will run script under user level, but, as I said, maybe it's possble somehow to get higher user level.
I never liked idea that PHP is enabled to execute shell...

[RevengeFNF]

I always disable exec, system, popen, proc_open and shell_exec.

[dpeca]

Here is my list of disabled functions in php.ini:

Code: Select all

disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen

My server never got rooted from PHP level with this.