Jump to content
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Slate Blackcurrant Watermelon Strawberry Orange Banana Apple Emerald Chocolate Marble
Giannis

VestaCP servers hacked

Recommended Posts

This is just a heads up that alot of VestaCP users' servers have been reportedly hacked and compromised and sending out spam and DDOS attacking other sites from the compromised servers. Web hosts are suspending VestaCP servers. Full details and ongoing discussion at:

From VestaCP forums, seem a command IP related to the hacker is 119.82.29.17

Looks like it might be a Linux/Xor.DDoS (also known as DDoS.XOR or Xorddos) malware. Very old 2015 blog article on this at: https://bartblaze.blogspot.com.au/2015/09/notes-on-linuxxorddos.html

Share this post


Link to post
Share on other sites

Μακάρι να μην δημιουργήσει νέα θέματα. Το exploit φαίνεται να βρέθηκε στον παρακάτω κώδικα:

Παράθεση

$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)

όπου το διόρθωσαν εδώ: https://github.com/serghey-rodin/vesta/commit/3fdee2975db0c80419a0dfefff3c10a2c4de6410

Share this post


Link to post
Share on other sites

Αναφορά του συμβάντος από την ομάδα του VestaCP:

Παράθεση

First of all, there was no reports about hacks on 0.9.8-20. 
Please update your servers as soon as possible.


For those who are interested in technical details here is how authentication model looked like in previous releases:
- PHP script /api/index.php receives user password via POST request
- then this script writes user password to a tmp file (for example /tmp/tmp.cWdkwNbBrR)
This operation was needed to protect password from being hijacked via "ps auxf" command.

- Path to the file was then passed to the shell script v-check-user-password:
(v-check-user-password admin /tmp/tmp.cWdkwNbBrR)

- The script reads the content of /tmp/tmp.cWdkwNbBrR and calls sub process in order to generate hash based on the file content
hash=$($BIN/v-generate-password-hash $method $salt <<< $password)

We think that this part could allow for arbitrary code execution. Theoretically you could send something like
"password; cat /etc/passwd" to get the content of /etc/passwd. However we weren't able to bypass auth protection ourselves.


Here is what we did in the new release.
- The PHP process still receives unescaped password via POST
- Then instead of transmitting this password to the script it is now creates hash
- Then this hash is written into the tmp
This way code injected string like "password; cat /etc/passwd" converts to a harmless "7v8FlZefN7aQ9OoxGkR8lFHKejCxH9g64TQVVoRUuAObszO2hJy.CAs8ZG3JUtDKYQZNIZS61" sequence of characters which makes it impossible to inject anything.

 

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×