Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:08 pm
don't aim roundcube as the exploit i don't have roundcube on my servers even phpmyadmin, i disabled them and deleted it still got hacked.
Vesta Control Panel - Forum
Community Forum
https://forum.vestacp.com/
Got 10 VestaCP servers exploited
Page 14 of 55
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:08 pm
Can you check what version of Roundcube that is on the system?
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:09 pm
I've got a bunch strange named files here created on April 3rd and 4th
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:10 pm
Are you suspecting on that file S90update - is a culprit.?StudioMaX wrote: Sun Apr 08, 2018 12:06 pm Also I have good news: I binary compared all the files in two backups of the whole server, one from 03-04-2018 (before infection), the other from 07-04-2018. And it seems that this exploit did not modify any system files, but only created these:But in any case, if your server was infected, you will need to reinstall it.Code: Select all
/etc/cron.hourly/gcc.sh /etc/rc.d/init.d/update /etc/rc.d/rc1.d/S90update /etc/rc.d/rc2.d/S90update /etc/rc.d/rc3.d/S90update /etc/rc.d/rc4.d/S90update /etc/rc.d/rc5.d/S90update /usr/lib/libudev.so /tmp/update
What is the contents of that S90update file?
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:13 pm
On my installation I had the latest version - 1.3.5Prime wrote: Sun Apr 08, 2018 12:08 pm Can you check what version of Roundcube that is on the system?
MAN5 wrote: Sun Apr 08, 2018 12:10 pm Are you suspecting on that file S90update - is a culprit.?
What is the contents of that S90update file?
Code: Select all
/etc/rc.d/rc1.d/S90update
/etc/rc.d/rc2.d/S90update
/etc/rc.d/rc3.d/S90update
/etc/rc.d/rc4.d/S90update
/etc/rc.d/rc5.d/S90updateIts content:
Code: Select all
#!/bin/sh
# chkconfig: 12345 90 90
# description: update
### BEGIN INIT INFO
# Provides: update
# Required-Start:
# Required-Stop:
# Default-Start: 1 2 3 4 5
# Default-Stop:
# Short-Description: update
### END INIT INFO
case $1 in
start)
/tmp/update
;;
stop)
;;
*)
/tmp/update
;;
esac
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:13 pm
1.35 version
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:19 pm
Do you mean you manually deleted already installed applications? Because Roundcube is installed automatically if you install the exim and the mysql, it can not be turned off when setting up the vesta.sandy wrote: Sun Apr 08, 2018 12:08 pm don't aim roundcube as the exploit i don't have roundcube on my servers even phpmyadmin, i disabled them and deleted it still got hacked.
Look here: https://github.com/serghey-rodin/vesta/ ... l.sh#L1201
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:20 pm
Then I think we can eliminate the theory that Roundcube is the fault here.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:21 pm
One of my VPS at OVH got exploit this morning. I did reinstall the os and restored all accounts from my remote backup. I'm now monitoring any change in /etc with inotify. From the information I read here, it seems like all created executables have to be done with root access. The exploit has to be more than just bugs in Roundcube which is run under www-data user. My speculation.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 12:22 pm
I'm cheering it's not roundcube cuz another server didn't got hacked again with disabled Vesta. I'm still keeping this hacked server mounted in rescue until sergehey is back. I truly hope he will be back my client is insisting on puting sites back up