Vesta Control Panel - Forum

skamasle wrote: Sun Apr 08, 2018 12:22 pm

StudioMaX wrote: Sun Apr 08, 2018 11:54 am A bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00

I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56

In SQL dump of this "session" table from "roundcube" database I found new session at the same time:

Code: Select all

INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('ajhkl541vskuji31ss3tadl7gc',	'2018-04-04 16:24:54',	'119.82.29.17',	'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');

119.82.29.17 - looks like attacker's or bot's IP

But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01

Code: Select all

INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('1a6f1ft5oo732eju8p6mldlag1',	'2018-03-24 23:02:01',	'119.82.29.17',	'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');

All other tables in "roundcube" database were empty (since I do not use Roundcube).

I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.

Can confirm access from that IP same day than gcc.shfile appeared with a HEAD request to /webmail/

Falzo wrote: Sun Apr 08, 2018 1:16 pm

skamasle wrote: Sun Apr 08, 2018 12:22 pm

StudioMaX wrote: Sun Apr 08, 2018 11:54 am A bit more info:
My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00

I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56

In SQL dump of this "session" table from "roundcube" database I found new session at the same time:

Code: Select all

INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('ajhkl541vskuji31ss3tadl7gc',	'2018-04-04 16:24:54',	'119.82.29.17',	'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6ImZ5blJ2SlpPZ1VoeTFNUDZ6c0FWUk4yZXZ6YWNHdlhrIjs=');

119.82.29.17 - looks like attacker's or bot's IP

But interesting is that the same IP address was figured in other session from 2018-03-24 23:02:01

Code: Select all

INSERT INTO `session` (`sess_id`, `changed`, `ip`, `vars`) VALUES
('1a6f1ft5oo732eju8p6mldlag1',	'2018-03-24 23:02:01',	'119.82.29.17',	'dGVtcHxiOjE7bGFuZ3VhZ2V8czo1OiJlbl9VUyI7dGFza3xzOjU6ImxvZ2luIjtyZXF1ZXN0X3Rva2VufHM6MzI6InJhQ1M4Z2hYME01YkJ2M1F6akt6SWJTeHVCY1E3dFA2Ijs=');

All other tables in "roundcube" database were empty (since I do not use Roundcube).

I installed Vesta on the new server on 24.03.2018 0:00:51, so the bot detected it in less than a day.

Can confirm access from that IP same day than gcc.shfile appeared with a HEAD request to /webmail/

while writing my post above, I missed that. so I quickly grepped for that IP and can confirm, that it appears in my logfiles too with only a single HEAD request to the /webmail URL, just once, no further occurence after that.
also can confirm, that the timestamps match the creation of the rc files and the /etc/init.d/update script which points to /tmp/update ...

I am still unsure how this exactly relates. a HEAD request should not be malicious at all. but maybe something from the resulting data was needed for the breakin attempt? without log information for the vesta-nginx one can only guess :(

stat /usr/share/roundcubemail/*

stat /path/to/your/roundcube/*

x.x.x.x - - [08/Apr/2018:09:15:00 -0400] "GET / HTTP/1.1" 302 154 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET /list/user/ HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET /login/ HTTP/1.1" 200 931 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:02 -0400] "GET /css/jquery-custom-dialogs.css?1446554103 HTTP/1.1" 200 5833 "https://xxxxxx:8083/login/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) G$
y.y.y.y - - [08/Apr/2018:09:15:03 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:04 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:06 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:07 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:09 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:11 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:12 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"
y.y.y.y - - [08/Apr/2018:09:15:14 -0400] "POST /api/ HTTP/1.1" 200 11 "-" "curl/7.47.0"

The following change occurred in the file /etc : 08/04/18 09:15 - CREATE /etc/bind/sedMBXndN