Page 18 of 55
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 1:51 pm
by SS88
crackerizer wrote: Sun Apr 08, 2018 1:42 pm
@StudioMaX
That's what I'm looking for the how to. lol
Edit this file: /usr/local/vesta/web/api/index.php
Add this in line 3:
Code: Select all
file_put_contents('/tmp/postlog.txt', print_r($_POST, true));
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 2:03 pm
by crackerizer
@SS88, Thanks for you suggestion.
Guys, I think the guy from the IP in my previous post is also observing this forum. I should have been more careful posting the IP address. I think he might have already removed my IP from his exploited pool.
Is there any safer channel we can discuss?
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 2:05 pm
by lukapaunovic
Remove virus he injected and he'll try again. At least we know vuln is in API now
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 2:08 pm
by SS88
By looking at the file he's restricted to /usr/local/vesta/bin/
Can you send a list of files you have in that directory to see if the exploit is in the current code, or perhaps he added his own file with unrestricted access.
Have you added any third party scripts such as App Installers? Usually these also add their own file to /usr/local/vesta/bin/
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 2:09 pm
by Prime
I'm setting up a Honeypot server on a VPS right now and we'll see how it goes. I'm not very hopeful as my other installation of Vesta is running behind same network and wasn't attacked.
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 2:09 pm
by ivcha92
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)
Just checked Vesta API. Haven't tested yet but it might be a way to inject shell command in "password" parameter of post request since it is not escaped with escapeshellarg(). Will try to test it out on my other server to see if this may be an issue
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 2:13 pm
by lukapaunovic
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 2:14 pm
by MAN5
crackerizer wrote: Sun Apr 08, 2018 2:03 pm
@SS88, Thanks for you suggestion.
Guys, I think the guy from the IP in my previous post is also observing this forum. I should have been more careful posting the IP address. I think he might have already removed my IP from his exploited pool.
Is there any safer channel we can discuss?
VestaTeam. Please remove this entry. so hopes, the hacker should not know this entry..
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 2:14 pm
by SS88
ivcha92 wrote: Sun Apr 08, 2018 2:09 pm
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)
Just checked Vesta API. Haven't tested yet but it might be a way to inject shell command in "password" parameter of post request since it is not escaped with escapeshellarg(). Will try to test it out on my other server to see if this may be an issue
Quite right I think +1, plus reference for use of 'buggy' escapeshellarg:
https://gist.github.com/Zenexer/40d02da ... a11af9ab36
Re: Got 10 VestaCP servers exploited
Posted: Sun Apr 08, 2018 2:17 pm
by imperio
All security information you can sending via [email protected]