We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
My dev server got compromise as the password for admin user got changed, lucky I had the shell for admin user set to rssh so that attempt to run the payload in /var/tmp got blocked.
Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure
Here the virustotal of the payload https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.
Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure
Here the virustotal of the payload https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.
Re: All VestaCP installations being attacked
You mean that the "change password" feature of VestaCP is infected? Or you used passwd from the shell?Razza wrote: ↑Tue Sep 25, 2018 4:55 pmMy dev server got compromise as the password for admin user got changed, lucky I had the shell for admin user set to rssh so that attempt to run the payload in /var/tmp got blocked.
Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure
Here the virustotal of the payload https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.
That is very valuable information! Can someone else confirm?
Thank you!
Re: All VestaCP installations being attacked
The password for vesta admin user was a strong password over 20 char all I can tell based on "chage -l admin" the password for admin user was changed sometime today, not sure how it was changed as i can't find any thing in log for it so I don't know where the vulnerabilities is.albertus wrote: ↑Tue Sep 25, 2018 6:06 pmYou mean that the "change password" feature of VestaCP is infected? Or you used passwd from the shell?Razza wrote: ↑Tue Sep 25, 2018 4:55 pmMy dev server got compromise as the password for admin user got changed, lucky I had the shell for admin user set to rssh so that attempt to run the payload in /var/tmp got blocked.
Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure
Here the virustotal of the payload https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.
That is very valuable information! Can someone else confirm?
Thank you!
Re: All VestaCP installations being attacked
Can you remember WHEN those hacked servers are installed?
And what distribution you use?
We must find first some vector of attack...
And what distribution you use?
We must find first some vector of attack...
Re: All VestaCP installations being attacked
My development server Debian 9 was install on 23rd.
All my other servers are fine they are over year since installed, the webui is locked down to just my ip.
All my other servers are fine they are over year since installed, the webui is locked down to just my ip.
-
- Posts: 4
- Joined: Tue Aug 07, 2018 9:37 am
- Os: Debian 8x
- Web: nginx + php-fpm
Re: All VestaCP installations being attacked
Also my server today it's gone! shutdown from my provider to begin a source of attack as well!
Vesta is really powerful tool, but what's happened today it's really big issues, I don't know if I'll go to reinstall Vesta. I'll look on how to create some renewal script and stop.
My server was a Debian 9, created on June 2, 2018. Now it's a couple of corrupted file :D
Vesta is really powerful tool, but what's happened today it's really big issues, I don't know if I'll go to reinstall Vesta. I'll look on how to create some renewal script and stop.
My server was a Debian 9, created on June 2, 2018. Now it's a couple of corrupted file :D
-
- Posts: 2
- Joined: Tue Sep 25, 2018 7:32 pm
- Os: Ubuntu 15x
- Web: apache + nginx
Re: All VestaCP installations being attacked
Watching thread closely to see if/how we can help. Not a lot to go on here right now, and nothing to report from this side of the fence. If this is an active and widespread vulnerability of the software, I suspect that attacks against it are no where near the scale of the previous. For now, at least. Last time reports were coming in a mile a minute on the forum here.lukapaunovic wrote: ↑Tue Sep 25, 2018 3:07 pmOVH....
They are always being targeted, along with Digital Ocean.
Some people who use Hetzner aren't having issues because bots aren't scanning those IP ranges.
They are just 'lucky'. That doesn't mean issue/vulnerability is not present.
Jarland
Re: All VestaCP installations being attacked
Just to save a time to others.
I downloaded all from http://c.vestacp.com/debian/9/
Then I cloned git official repo, and took the same folders, in order to compare it with diff.
Files are not altered on server... I mean, they are identical (except drupal and http2 templates, that are altered on github (improved))
DEB files from official repo ( for example http://apt.vestacp.com/stretch/pool/ves ... _amd64.deb ) are also the same as they were on the day when they are released (i downloaded all .deb files after last v22 version was released, so I compared it with fresh downloaded deb files)
Compared with md5sum.
So I can discard the possibility that official server was compromised.
At least for files that are NOW on server.
(i'm not in Vesta core team, so I don't have information about server status, I see the same stuff that you can see/check)
I downloaded all from http://c.vestacp.com/debian/9/
Then I cloned git official repo, and took the same folders, in order to compare it with diff.
Files are not altered on server... I mean, they are identical (except drupal and http2 templates, that are altered on github (improved))
DEB files from official repo ( for example http://apt.vestacp.com/stretch/pool/ves ... _amd64.deb ) are also the same as they were on the day when they are released (i downloaded all .deb files after last v22 version was released, so I compared it with fresh downloaded deb files)
Compared with md5sum.
So I can discard the possibility that official server was compromised.
At least for files that are NOW on server.
(i'm not in Vesta core team, so I don't have information about server status, I see the same stuff that you can see/check)
Re: All VestaCP installations being attacked
I'm having a lot of SSH penetration attempts since this morning, coming from everywhere. Some examples:dpeca wrote: ↑Tue Sep 25, 2018 8:01 pmJust to save a time to others.
I downloaded all from http://c.vestacp.com/debian/9/
Then I cloned git official repo, and took the same folders, in order to compare it with diff.
Files are not altered on server... I mean, they are identical (except drupal and http2 templates, that are altered on github (improved))
DEB files from official repo ( for example http://apt.vestacp.com/stretch/pool/ves ... _amd64.deb ) are also the same as they were on the day when they are released (i downloaded all .deb files after last v22 version was released, so I compared it with fresh downloaded deb files)
Compared with md5sum.
So I can discard the possibility that official server was compromised.
At least for files that are NOW on server.
(i'm not in Vesta core team, so I don't have information about server status, I see the same stuff that you can see/check)
Code: Select all
Time: Tue Sep 25 20:13:07 2018 +0200
IP: 198.23.150.106 (US/United States/198-23-150-106-host.colocrossing.com)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]
Log entries:
Sep 25 19:35:09 mail sshd[16352]: Invalid user fernanda from 198.23.150.106 port 58124
Sep 25 19:35:11 mail sshd[16352]: Failed password for invalid user fernanda from 198.23.150.106 port 58124 ssh2
Sep 25 19:54:14 mail sshd[19262]: Invalid user user2 from 198.23.150.106 port 45166
Sep 25 19:54:16 mail sshd[19262]: Failed password for invalid user user2 from 198.23.150.106 port 45166 ssh2
Sep 25 20:13:02 mail sshd[22172]: Invalid user test from 198.23.150.106 port 60404
--
Time: Tue Sep 25 20:36:02 2018 +0200
IP: 58.137.172.213 (TH/Thailand/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]
Log entries:
Sep 25 20:00:01 mail sshd[20147]: Invalid user testing from 58.137.172.213 port 46720
Sep 25 20:00:02 mail sshd[20147]: Failed password for invalid user testing from 58.137.172.213 port 46720 ssh2
Sep 25 20:08:39 mail sshd[21492]: Invalid user ts3 from 58.137.172.213 port 53870
Sep 25 20:08:41 mail sshd[21492]: Failed password for invalid user ts3 from 58.137.172.213 port 53870 ssh2
Sep 25 20:35:59 mail sshd[25777]: Invalid user lzhang from 58.137.172.213 port 49742
--
Time: Tue Sep 25 21:22:03 2018 +0200
IP: 58.218.92.30 (CN/China/-)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]
Log entries:
Sep 25 21:21:51 mail sshd[30646]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.218.92.30 user=root
Sep 25 21:21:53 mail sshd[30646]: Failed password for root from 58.218.92.30 port 39770 ssh2
Sep 25 21:21:57 mail sshd[30646]: Failed password for root from 58.218.92.30 port 39770 ssh2
Sep 25 21:21:59 mail sshd[30646]: Failed password for root from 58.218.92.30 port 39770 ssh2
Sep 25 21:22:02 mail sshd[30646]: Failed password for root from 58.218.92.30 port 39770 ssh2
--
Time: Tue Sep 25 22:24:56 2018 +0200
IP: 37.59.9.162 (FR/France/ns3262490.ip-37-59-9.eu)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]
Log entries:
Sep 25 21:49:50 mail sshd[3964]: Invalid user thomas from 37.59.9.162 port 39994
Sep 25 21:49:52 mail sshd[3964]: Failed password for invalid user thomas from 37.59.9.162 port 39994 ssh2
Sep 25 22:07:23 mail sshd[4158]: Invalid user ttest from 37.59.9.162 port 55282
Sep 25 22:07:24 mail sshd[4158]: Failed password for invalid user ttest from 37.59.9.162 port 55282 ssh2
Sep 25 22:24:54 mail sshd[4324]: Invalid user jenkins from 37.59.9.162 port 42320
--
Time: Tue Sep 25 22:29:36 2018 +0200
IP: 93.95.103.141 (RU/Russia/mailsrv.profnode.ru)
Failures: 5 (sshd)
Interval: 3600 seconds
Blocked: Permanent Block [LF_SSHD]
Log entries:
Sep 25 21:51:28 mail sshd[3988]: Invalid user fox from 93.95.103.141 port 50562
Sep 25 21:51:30 mail sshd[3988]: Failed password for invalid user fox from 93.95.103.141 port 50562 ssh2
Sep 25 22:10:33 mail sshd[4198]: Invalid user dany from 93.95.103.141 port 56566
Sep 25 22:10:35 mail sshd[4198]: Failed password for invalid user dany from 93.95.103.141 port 56566 ssh2
Sep 25 22:29:31 mail sshd[4403]: Invalid user contas from 93.95.103.141 port 33088