Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

All VestaCP installations being attacked

https://forum.vestacp.com/viewtopic.php?t=17641

Page 22 of 24

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 11:58 am
by kandalf
imperio wrote: Fri Oct 19, 2018 11:54 am Good. You have removed all virus files from your server.
Nice, thank you for your help

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 12:05 pm
by peterb
/sbin/chkconfig --list
returns
dhcprenew 0:off 1:on 2:on 3:on 4:on 5:on 6:off
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off

I presume I "AM" infected then?

I have updated to 23.
What else should I do?

What does the email from you mean, to contact you at info@? Is that genuine?

I have the
dhcprenew.disabled
in usr/bin
is disabled enough, or should I delete it?

I have others? Where should I look?

Any help much appreciated !

I also deleted
dhcprenew
in etc/inid.d
and now I get
/sbin/chkconfig --list
returns
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off

does that mean I am clean now?

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 12:05 pm
by artuof
imperio wrote: Fri Oct 19, 2018 11:54 am Good. You have removed all virus files from your server.
How can I test it on Ubuntu?

root@miserver:~# service --status-all
[ + ] acpid
[ + ] apache-htcacheclean
[ + ] apache2
[ + ] apcupsd
[ + ] apparmor
[ + ] apport
[ + ] atd
[ + ] bind9
[ - ] bootmisc.sh
[ - ] checkfs.sh
[ - ] checkroot-bootclean.sh
[ - ] checkroot.sh
[ + ] clamav-daemon
[ - ] clamav-freshclam
[ + ] console-setup
[ + ] cron
[ - ] cryptdisks
[ - ] cryptdisks-early
[ + ] dbus
[ + ] dovecot
[ + ] exim4
[ + ] fail2ban
[ + ] grub-common
[ - ] hostname.sh
[ - ] hwclock.sh
[ + ] irqbalance
[ + ] iscsid
[ + ] keyboard-setup
[ - ] killprocs
[ + ] kmod
[ - ] lvm2
[ + ] lvm2-lvmetad
[ + ] lvm2-lvmpolld
[ + ] lxcfs
[ - ] lxd
[ + ] mdadm
[ - ] mdadm-waitidle
[ - ] mountall-bootclean.sh
[ - ] mountall.sh
[ - ] mountdevsubfs.sh
[ - ] mountkernfs.sh
[ - ] mountnfs-bootclean.sh
[ - ] mountnfs.sh
[ + ] mysql
[ + ] networking
[ + ] ondemand
[ + ] open-iscsi
[ - ] open-vm-tools
[ - ] plymouth
[ - ] plymouth-log
[ + ] procps
[ + ] quota
[ - ] quotarpc
[ + ] rc.local
[ + ] resolvconf
[ - ] rsync
[ + ] rsyslog
[ - ] screen-cleanup
[ - ] sendsigs
[ + ] spamassassin
[ + ] ssh
[ + ] udev
[ + ] ufw
[ - ] umountfs
[ - ] umountnfs.sh
[ - ] umountroot
[ + ] unattended-upgrades
[ - ] ups-monitor
[ + ] urandom
[ - ] uuidd
[ + ] vesta
[ - ] vsftpd
[ - ] x11-common

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 12:08 pm
by imperio
Also root and admin passwords should be changed. It's important

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 12:19 pm
by imperio
artuof, dhcprenew is not loaded at autorun on your server

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 2:10 pm
by joni
@Imperio,
Is this result ok?


Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.

If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.

netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
vesta 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@t-knight ~]#

[url][/url]

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 2:28 pm
by imperio
Here is what's needed to be done
1. Find and remove dhcprenew binary from the system

Code: Select all

find /etc -name "*dhcprenew*"
find /usr/bin -name "*dhcprenew*"
2. Stop running process named as kworker and launched between 24-28 Sept

Code: Select all

ps auxf
3. Run rkhunter script to make sure there is no other affected binary files

Code: Select all

apt-get install rkhuner
yum install rkhuner
http://rkhunter.sourceforge.net/
rkhunter -k
4. Change current password for admin and root user

Or you can spin up another server and migrate your users using following doc
http://vestacp.com/docs/#how-to-migrate ... her-server

For more information about this trojan please read
https://www.welivesecurity.com/2018/10/ ... installed/

5. That's all

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 3:16 pm
by artuof
At present, I have those process:

Code: Select all

root@miserver:~# ps auxf | grep kworker
root         5  0.0  0.0      0     0 ?        S<   mar25   0:00  \_ [kworker/0:0H]
root        15  0.0  0.0      0     0 ?        S<   mar25   0:00  \_ [kworker/1:0H]
root        20  0.0  0.0      0     0 ?        S<   mar25   0:00  \_ [kworker/2:0H]
root        25  0.0  0.0      0     0 ?        S<   mar25   0:00  \_ [kworker/3:0H]
root       202  0.0  0.0      0     0 ?        S<   mar25   1:32  \_ [kworker/1:1H]
root       203  0.0  0.0      0     0 ?        S<   mar25 198:40  \_ [kworker/3:1H]
root       204  0.0  0.0      0     0 ?        S<   mar25   1:35  \_ [kworker/2:1H]
root       329  0.0  0.0      0     0 ?        S<   mar25   2:07  \_ [kworker/0:1H]
root      3088  0.0  0.0      0     0 ?        S    10:39   0:00  \_ [kworker/2:2]
root     19698  0.0  0.0      0     0 ?        S    13:39   0:00  \_ [kworker/1:2]
root     23333  0.0  0.0      0     0 ?        S    14:09   0:00  \_ [kworker/2:0]
root     29348  0.0  0.0      0     0 ?        S    15:39   0:00  \_ [kworker/3:2]
root     30584  0.0  0.0      0     0 ?        S    15:59   0:00  \_ [kworker/3:1]
root     31604  0.0  0.0      0     0 ?        S    16:09   0:00  \_ [kworker/0:0]
root     32628  0.0  0.0      0     0 ?        S    16:23   0:00  \_ [kworker/1:0]
root      1229  0.0  0.0      0     0 ?        S    16:39   0:00  \_ [kworker/0:1]
root      2032  0.0  0.0      0     0 ?        S    16:51   0:00  \_ [kworker/u8:0]
root      2466  0.0  0.0      0     0 ?        S    16:59   0:00  \_ [kworker/u8:2]
root      2963  0.0  0.0      0     0 ?        S    17:05   0:00  \_ [kworker/u8:1]
root      3032  0.0  0.0  16760  1024 pts/1    S+   17:08   0:00                      \_ grep kworker
I canĀ“t kill them with:
kill -9 5 (for example to kill first process)

Would I have kill of them on the list?

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 4:48 pm
by albertus
imperio wrote: Fri Oct 19, 2018 9:49 am Falzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/

In the next time I'll give you a warning.
Excuse me, I don't think there were any insults from Falzo and I agree with him. It's a shame how you dealt with this problem. Nobody should keep trusting any of you as you're not capable of communicating properly. Keeping silence and hiding yourself doesn't help. I truly suggest you to decide if you really want to continue mantaining Vesta, as you don't seem capable for such a task.

Re: All VestaCP installations being attacked

Posted: Fri Oct 19, 2018 5:11 pm
by imperio
albertus, please stop the offtopic.
If you really want to scold the development team, please contact us via PM.
All times are UTC
Page 22 of 24

Powered by phpBB® Forum Software © phpBB Limited