Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
what about percents of distributions that are used on infected servers?nextgi wrote: ↑Fri Apr 13, 2018 8:44 pmWell,
Im glad we are making full circle on our original working theory lol.
We have documented proof that the correlation between the url http://<your ip>/webmail was the vector entry point on the systems we have been examining. It may not be roundcube specific, we have yet to determine this. It may be a combined vector attack in which it leverages vesta and roundcube. However, in some situations roundcube and access to the webmail path were removed/disabled. So, this would lean towards possibly Apache? nginx? We are still investigating our selves. For those whom had access to port 8083 change and completely block in some cases has lead us to believe it was not, at least solely, reliant on VestaCPs api.
-
- Posts: 92
- Joined: Sat Aug 02, 2014 6:50 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
This is Patrick from Rack911 Labs, a Software Security Auditing company.Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.
I'll send off more once they fix those.
Procedure to remove exploited
Locate the file / process
ersjbxirbj 5461 root 3u IPv4 107136 0t0 TCP host.dom.br:35112->192.126.118.127:smtp
Scan with
/usr/bin/ersjbxirbj: Unix.Trojan.DDoS_XOR-1 FOUND
Change the FILE variable to the file/process name. Copy and paste running at one time
Hope this helps!
Code: Select all
lsof -i |grep smtp
Scan with
Code: Select all
clamscan -r -i /usr
Change the FILE variable to the file/process name. Copy and paste running at one time
Code: Select all
FILE=ersjbxirbj
chmod 0 /lib/libudev.so
echo '0' > /lib/libudev.so
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /etc/cron.hourly/gcc.sh
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /etc/init.d/$FILE
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /etc/rc1.d/S90$FILE
rm /etc/rc2.d/S90$FILE
rm /etc/rc3.d/S90$FILE
rm /etc/rc4.d/S90$FILE
rm /etc/rc5.d/S90$FILE
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /run/systemd/generator.late/graphical.target.wants/$FILE.service
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /run/systemd/generator.late/multi-user.target.wants/$FILE.service
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /run/systemd/generator.late/rescue.target.wants/$FILE.service
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
rm /run/systemd/generator.late/$FILE.service
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
pstree -ap | grep -E -- '-[a-z]{10},' | cut -d, -f2 | xargs kill -9 2>/dev/null
echo '0' > /usr/bin/$FILE
rm /usr/bin/$FILE
rm /lib/libudev.so
reboot
Re: Got 10 VestaCP servers exploited
good work! he is doing that for free?RevengeFNF wrote: ↑Sat Apr 14, 2018 12:47 amThis is Patrick from Rack911 Labs, a Software Security Auditing company.Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.
I'll send off more once they fix those.
must be some nice guy :)
Re: Got 10 VestaCP servers exploited
This is pretty cool. Now, I do have one question. Are these exploits focused on the control panel? I would imagine so. Which would mean we still need to dig and find the root cause. None the less, still pretty awesome we have an additional set of eyes submitting vulnerabilities.kobo1d wrote: ↑Sat Apr 14, 2018 9:01 amgood work! he is doing that for free?RevengeFNF wrote: ↑Sat Apr 14, 2018 12:47 amThis is Patrick from Rack911 Labs, a Software Security Auditing company.Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.
I'll send off more once they fix those.
must be some nice guy :)
As for the survey... We are reviewing the responses and will provide feedback to the group soon. Thank you for your submissions.
Re: Got 10 VestaCP servers exploited
I, personally, have one question for all administrators whose server got hacked.
Did you disabled dangerous PHP functions (like shell_exec(), system() and exec()) with "disable_functions" in php.ini ?
Did you disabled dangerous PHP functions (like shell_exec(), system() and exec()) with "disable_functions" in php.ini ?
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
Well, I did not disable them...BUT I also have a counter question: Vesta's internal PHP is different than systemwide PHP... right ? so if someone got an entry point in VestaCP, what difference will it make if we have exec() or shell() functions disabled on the web/cli PHP ?
Re: Got 10 VestaCP servers exploited
There is no difference, and Vesta PHP even can not disable those functions, because web interface of VestaCP will not work then.
My starting point is that maybe, hacker first compromised any site that is hosted on that server.
With enabled exec() and shell_exec() PHP functions maybe it's possible to get higher user level (admin or root) and compromise whole server then...
I will suggest to Serghey that we disable dangerous functions in php.ini by default (during Vesta installation).
Having enabled PHP functions like exec() and shell_exec() is the same as giving SSH to PHP scripts.
And PHP level is easy to hack if you host outdated WordPress, Joomla and their plugins.
Yes, it will run script under user level, but, as I said, maybe it's possble somehow to get higher user level.
I never liked idea that PHP is enabled to execute shell...
My starting point is that maybe, hacker first compromised any site that is hosted on that server.
With enabled exec() and shell_exec() PHP functions maybe it's possible to get higher user level (admin or root) and compromise whole server then...
I will suggest to Serghey that we disable dangerous functions in php.ini by default (during Vesta installation).
Having enabled PHP functions like exec() and shell_exec() is the same as giving SSH to PHP scripts.
And PHP level is easy to hack if you host outdated WordPress, Joomla and their plugins.
Yes, it will run script under user level, but, as I said, maybe it's possble somehow to get higher user level.
I never liked idea that PHP is enabled to execute shell...
-
- Posts: 92
- Joined: Sat Aug 02, 2014 6:50 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
I always disable exec, system, popen, proc_open and shell_exec.
Re: Got 10 VestaCP servers exploited
Here is my list of disabled functions in php.ini:
My server never got rooted from PHP level with this.
Code: Select all
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,system,passthru,shell_exec,proc_open,popen