All VestaCP installations being attacked Topic is solved

[kandalf]

Falzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/

In the next time I'll give you a warning.

Thank for the link in one of my servers I have the file /etc/init.d/dhcprenew and not the /usr/bin/dhcprenew, I also have multiple symlink that can be found using:
ls /etc/rc[1-5].d/
ls /etc/rc.d/rc[1-5].d/

I think I should reinstall the server.

You can clear you server
https://www.welivesecurity.com/2018/10/ ... installed/
Section

First stage
Persistence mechanism and link to Xor.DDoS

I already removed the /etc/init.d/dhcprenew, /usr/bin/dhcprenew and all the symlinks, I have changes the root and admin passwords.
There are more things to do? Maybe someone can create a step by step tutorial how to clean a infected server.

BTW in this server I have received an email from vesta telling me that I was infected

[imperio]

kandalf, what OS on your server, which was infected ?

[kandalf]

kandalf, what OS on your server, which was infected ?

Centos 7

[imperio]

Show me results of this command

Code: Select all

/sbin/chkconfig --list 

[artuof]

I have OS Ubuntu 16.04 LTS.

The first thing I've done has been to change admin and root passwords.

Later, I have seen that my server has /usr/bin/dhcprenew.disabled and /etc/init.d/dhcprenew.disabled files. (why .disabled? no idea).
I have deleted both.

Too I have symbolics links:

lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc1.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc2.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc3.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc4.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc5.d/S01dhcprenew -> ../init.d/dhcprenew

I have delete all of them.

Too I have several jobs (ps -A) named [kworker/1:1]
I have killed them.

How I have to proceed?


The reinstallation at this time is not possible.
My server works fine apparently.

Thanks!

[Falzo]

Falzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/

In the next time I'll give you a warning.

how did I insult anyone? you can warn me all over the place if you think that's a proper reaction here... go ahead and delete my posts if you think they are hurting you in some way.

see that's exactly the point... responses and communications. why do you need to react like that to me? I found something, posted it here and you could react on it. Now you are angry with me?
Or did you knew already what happened even before I posted about that? pick one...

in the end I don't care about your reaction _to me_ at all, but maybe others will. I am sure quite some people look at this thread and the reactions of Vesta Team very closely.

and to be fully clear: I am not looking for any fight, I am looking for open and transparent communication on the matter. in the end this hasn't even been a real failure/exploit in the code of vesta itself, but a problem in the infrastructure/deployment.

for the link you posted, you are right, maybe you want to read it again:

VestaCP maintainers stated they were compromised. How the malicious code ended up in their Git tree is still unclear. Perhaps the perpetrator modified the installation scripts on the server and this version was used to create the next version of the file in Git, but only for the Ubuntu target. This would mean they have been compromised since at least May 2018.

so they also say, that the timeline is unclear and that there are informations missing. hence why I ask to finally address this in full instead of waiting for users to find more pieces...

However, I am going back to my cave then. If anyone has more questions, or wants to discuss without being warned or threathened, you can find me on lowendtalk or hostballs ;-) ;-) ;-)

[pqpk2009]

The concentrated explosion is mainly caused by two large mainframe suppliers, feeling that their DNS servers have been hijacked. Vestacp.com domain name IP has been changed.

hoster: hetzner OVH

[ScIT]

The concentrated explosion is mainly caused by two large mainframe suppliers, feeling that their DNS servers have been hijacked. Vestacp.com domain name IP has been changed.

hmm, i don't think this is realistic - does not make any sense. The changed installer script was for example also uploaded to github.com, additional i think the dns system of such big players are monitored carefully.

[kandalf]

Show me results of this command

Code: Select all

/sbin/chkconfig --list 

This is te result

[root@mail ~]# /sbin/chkconfig --list

Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.

If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.

mysql 0:off 1:off 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off

[imperio]

Good. You have removed all virus files from your server.