Giannis 49 Report post Posted April 10, 2018 This is just a heads up that alot of VestaCP users' servers have been reportedly hacked and compromised and sending out spam and DDOS attacking other sites from the compromised servers. Web hosts are suspending VestaCP servers. Full details and ongoing discussion at: https://forum.vestacp.com/viewtopic.php?f=10&t=16556 https://www.digitalocean.com/community/questions/how-do-i-determine-the-impact-of-vestacp-vulnerability-from-april-8th-2018 https://www.lowendtalk.com/discussion/141728/vestacp-possibly-hit-with-zeroday-exploit https://hostballs.com/t/potential-vestacp-zeroday-exploit/52 From VestaCP forums, seem a command IP related to the hacker is 119.82.29.17 Looks like it might be a Linux/Xor.DDoS (also known as DDoS.XOR or Xorddos) malware. Very old 2015 blog article on this at: https://bartblaze.blogspot.com.au/2015/09/notes-on-linuxxorddos.html Quote Share this post Link to post Share on other sites
NickTheGreek 160 Report post Posted April 10, 2018 alarming, to say the least Quote Share this post Link to post Share on other sites
Giannis 49 Report post Posted April 10, 2018 Vesta released a new version with the exploit fixed. Quote Share this post Link to post Share on other sites
NickTheGreek 160 Report post Posted April 10, 2018 εχω δεί τόσα vesta να σπάνε on update που να δείς οτι ίσως λύσει το θέμα και δημιουργήσει άλλα Quote Share this post Link to post Share on other sites
Giannis 49 Report post Posted April 10, 2018 Μακάρι να μην δημιουργήσει νέα θέματα. Το exploit φαίνεται να βρέθηκε στον παρακάτω κώδικα: Παράθεση $v_password = tempnam("/tmp","vst"); $fp = fopen($v_password, "w"); fwrite($fp, $_POST['password']."\n"); fclose($fp); $v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]); exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code); unlink($v_password) όπου το διόρθωσαν εδώ: https://github.com/serghey-rodin/vesta/commit/3fdee2975db0c80419a0dfefff3c10a2c4de6410 Quote Share this post Link to post Share on other sites
NickTheGreek 160 Report post Posted April 10, 2018 κάτι ήξερα ισως και εκοβα ακομη και την 8083 by default. μεχρι τώρα δεν εχω βρει κάτι κάπου 1 Quote Share this post Link to post Share on other sites
Giannis 49 Report post Posted April 10, 2018 Αναφορά του συμβάντος από την ομάδα του VestaCP: Παράθεση First of all, there was no reports about hacks on 0.9.8-20. Please update your servers as soon as possible. For those who are interested in technical details here is how authentication model looked like in previous releases: - PHP script /api/index.php receives user password via POST request - then this script writes user password to a tmp file (for example /tmp/tmp.cWdkwNbBrR) This operation was needed to protect password from being hijacked via "ps auxf" command. - Path to the file was then passed to the shell script v-check-user-password: (v-check-user-password admin /tmp/tmp.cWdkwNbBrR) - The script reads the content of /tmp/tmp.cWdkwNbBrR and calls sub process in order to generate hash based on the file content hash=$($BIN/v-generate-password-hash $method $salt <<< $password) We think that this part could allow for arbitrary code execution. Theoretically you could send something like "password; cat /etc/passwd" to get the content of /etc/passwd. However we weren't able to bypass auth protection ourselves. Here is what we did in the new release. - The PHP process still receives unescaped password via POST - Then instead of transmitting this password to the script it is now creates hash - Then this hash is written into the tmp This way code injected string like "password; cat /etc/passwd" converts to a harmless "7v8FlZefN7aQ9OoxGkR8lFHKejCxH9g64TQVVoRUuAObszO2hJy.CAs8ZG3JUtDKYQZNIZS61" sequence of characters which makes it impossible to inject anything. Quote Share this post Link to post Share on other sites
