All VestaCP installations being attacked

Post by **dpeca** » Sun Sep 30, 2018 6:41 pm

OK, please check.

I just checked two compromised servers, they have new version of api.php .

pqpk2009 · Post by **pqpk2009** » Mon Oct 01, 2018 4:04 am

dpeca wrote: ↑
Sun Sep 30, 2018 6:41 pm
OK, please check.

I just checked two compromised servers, they have new version of api.php .

I was wrong. The new version did not have these codes.

In addition, I look at log nginx-access.log, and I feel suspicious in some records.

118.139.177.119 - - [25/Jun/2018:13:49:41 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
149.202.38.124 - - [25/Jun/2018:23:42:08 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"

27.153.182.98 - - [26/Jun/2018:10:49:08 +0200] QUIT "400" 166 "-" "-" "-"

193.70.85.110 - - [30/Jun/2018:18:25:43 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
5.8.18.77 - - [30/Jun/2018:20:08:54 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
193.70.85.110 - - [01/Jul/2018:08:04:33 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"

5.135.150.73 - - [16/Jul/2018:20:44:45 +0200] GET /Blog/wp-login.php HTTP/1.1 "302" 154 "-" "Python-urllib/2.6" "-"
5.135.150.73 - - [16/Jul/2018:20:44:47 +0200] GET /Blog/wp-login.php HTTP/1.1 "404" 1254 "-" "Python-urllib/2.6" "-"
185.209.0.23 - - [16/Jul/2018:21:42:54 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:29 +0200] GET / HTTP/1.1 "302" 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
71.6.135.131 - - [17/Jul/2018:00:11:29 +0200] GET /login/ HTTP/1.1 "200" 4152 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
71.6.135.131 - - [17/Jul/2018:00:11:31 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:32 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:33 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:34 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:38 +0200] quit "400" 166 "-" "-" "-"

103.63.2.223 - - [23/Aug/2018:14:13:53 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:14:13:54 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:14:13:55 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:18:43:19 +0200] GET / HTTP/1.1 "302" 154 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" "-"
103.63.2.223 - - [23/Aug/2018:18:43:26 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:18:43:27 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:18:43:27 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"

78.128.112.22 - - [26/Sep/2018:06:38:11 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
193.70.85.110 - - [26/Sep/2018:15:36:30 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
5.101.40.34 - - [26/Sep/2018:20:44:10 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
118.139.177.119 - - [27/Sep/2018:13:06:34 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
80.82.77.67 - - [27/Sep/2018:23:30:58 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
118.139.177.119 - - [28/Sep/2018:10:08:26 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:01:59 +0200] GET / HTTP/1.1 "502" 568 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:03 +0200] quit "400" 166 "-" "-" "-"

Post by **ScIT** » Mon Oct 01, 2018 5:28 am

pqpk2009 wrote: ↑
Mon Oct 01, 2018 4:04 am

dpeca wrote: ↑
Sun Sep 30, 2018 6:41 pm
OK, please check.

I just checked two compromised servers, they have new version of api.php .
I was wrong. The new version did not have these codes.

In addition, I look at log nginx-access.log, and I feel suspicious in some records.

118.139.177.119 - - [25/Jun/2018:13:49:41 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
149.202.38.124 - - [25/Jun/2018:23:42:08 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"

27.153.182.98 - - [26/Jun/2018:10:49:08 +0200] QUIT "400" 166 "-" "-" "-"

193.70.85.110 - - [30/Jun/2018:18:25:43 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
5.8.18.77 - - [30/Jun/2018:20:08:54 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
193.70.85.110 - - [01/Jul/2018:08:04:33 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"

5.135.150.73 - - [16/Jul/2018:20:44:45 +0200] GET /Blog/wp-login.php HTTP/1.1 "302" 154 "-" "Python-urllib/2.6" "-"
5.135.150.73 - - [16/Jul/2018:20:44:47 +0200] GET /Blog/wp-login.php HTTP/1.1 "404" 1254 "-" "Python-urllib/2.6" "-"
185.209.0.23 - - [16/Jul/2018:21:42:54 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:29 +0200] GET / HTTP/1.1 "302" 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
71.6.135.131 - - [17/Jul/2018:00:11:29 +0200] GET /login/ HTTP/1.1 "200" 4152 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
71.6.135.131 - - [17/Jul/2018:00:11:31 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:32 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:33 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:34 +0200] "400" 0 "-" "-" "-"
71.6.135.131 - - [17/Jul/2018:00:11:38 +0200] quit "400" 166 "-" "-" "-"

103.63.2.223 - - [23/Aug/2018:14:13:53 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:14:13:54 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:14:13:55 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:18:43:19 +0200] GET / HTTP/1.1 "302" 154 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1" "-"
103.63.2.223 - - [23/Aug/2018:18:43:26 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:18:43:27 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"
103.63.2.223 - - [23/Aug/2018:18:43:27 +0200] CONNECT www.msftncsi.com:443 HTTP/1.1 "400" 166 "-" "-" "-"

78.128.112.22 - - [26/Sep/2018:06:38:11 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
193.70.85.110 - - [26/Sep/2018:15:36:30 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
5.101.40.34 - - [26/Sep/2018:20:44:10 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
118.139.177.119 - - [27/Sep/2018:13:06:34 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
80.82.77.67 - - [27/Sep/2018:23:30:58 +0200] \x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr "400" 166 "-" "-" "-"
118.139.177.119 - - [28/Sep/2018:10:08:26 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:01:59 +0200] GET / HTTP/1.1 "502" 568 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:03 +0200] quit "400" 166 "-" "-" "-"

does look like normal scanns, nothing special here. You can google some of them and will get some informations what they try to find.

wyamout · Post by **wyamout** » Mon Oct 01, 2018 6:49 am

so my VPS was blocked they sent the attack details... I installed vestacp just 5 days ago on a new server.

Code: Select all

> Attack detail : 32Kpps/20Mbps
> dateTime srcIp:srcPort dstIp:dstPort protocol flags packets bytes reason
> 2018.09.25 06:13:47 CEST server-ip-address:17459 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:29022 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:55308 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:49451 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:9828 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:33845 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:18313 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:30186 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:55426 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:59503 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:49779 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:53213 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:43761 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:9283 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:32901 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:25862 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:61338 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:29028 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:22060 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN
> 2018.09.25 06:13:47 CEST server-ip-address:6028 144.0.2.180:80 TCP SYN 16384 1343488 ATTACK:TCP_SYN

Post by **dpeca** » Mon Oct 01, 2018 7:25 am

ScIT wrote: ↑
Mon Oct 01, 2018 5:28 am

pqpk2009 wrote: ↑
Mon Oct 01, 2018 4:04 am
...
80.82.77.33 - - [28/Sep/2018:20:02:00 +0200] "400" 0 "-" "-" "-"
80.82.77.33 - - [28/Sep/2018:20:02:03 +0200] quit "400" 166 "-" "-" "-"
does look like normal scanns, nothing special here. You can google some of them and will get some informations what they try to find.

I agree, I see the same on all my servers, it's just bots that scans network, searching for some specific vulnerable software, but it's not Vesta probably.
I guess that our attacker deletes his IP from access log...

pqpk2009 · Post by **pqpk2009** » Mon Oct 01, 2018 7:54 am

Now I stopped the VESTA service, but API could not use it. How can I extract API?

Now there are more than 300 servers.

Post by **dpeca** » Mon Oct 01, 2018 8:39 am

pqpk2009 wrote: ↑
Mon Oct 01, 2018 7:54 am
Now I stopped the VESTA service, but API could not use it. How can I extract API?

Now there are more than 300 servers.

You can start vesta service and then in Firewall section allow only your IPs to connect to 8083 port.

maman · Post by **maman** » Mon Oct 01, 2018 8:51 am

Hello i still dont get it why some people suggest to change the default port of admin panel and ssh port. Can someone give me some light?

For me it just take couple seconds to findout your randomized port. Even tool like shodan and censys can map every single device on whole internet in just couple hours.

=> https://www.kaspersky.com/blog/shodan-censys/11430/

Post by **dpeca** » Mon Oct 01, 2018 8:56 am

When you are an attacker, and when you scan a milion of IP addresses, you don't have 15 minutes per one IP (to scan all 65535 ports)... you just check 22, 8083, eventualy 2022 or 2222, and then you go to next IP...

flanders · Post by **flanders** » Mon Oct 01, 2018 11:08 am

I have 3 servers with vesta. Only 1 is attacked.Always the same server. 2 servers are working well (they are in the same host), that attacked is in other host. I rebuild it many times, changed ip server, hostname, password, ssh port, permit root login without-password but each day it is attacked... I don't know how solve this situation....

Vesta Control Panel - Forum

All VestaCP installations being attacked Topic is solved

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Login • Register