Взлом панели VestaCP, часть вторая

[Smalesh]

Our infrastructure server was hacked. Presumably using API bug in the release 0.9.8-20. The hackers then changed all installation scripts to log admin password and ip as addition to the distro name we used to collect stats.

Please check if your server IP here
>>>>>

У Вас недостаточно прав для просмотра ссылок. Вход или Регистрация

<<<<<

If it's there you should change admin passwords as soon as possible. Also please make sure there is no /usr/bin/dhcprenew binary installed on your server. This binary is some sort of trojan that is able to launch remote DDoS attack or open shell to your server

У Вас недостаточно прав для просмотра ссылок. Вход или Регистрация

Красиво, однако. Троян сидит в виде /usr/bin/dhcprenew, алгорим действий

# проверяем наличие файла
file /usr/bin/dhcprenew
# грохаем его 
rm -f /usr/bin/dhcprenew
# меняем пароль админа
passwd admin
# меняем пароль рута
passwd root

 

[Smalesh]

Release notes for 0.9.8-23

• Security fix for timing attack on password reset. Thanks to
  У Вас недостаточно прав для просмотра ссылок. Вход или Регистрация
• Security fix for v-open-fs-config. Its visibility is limited to /etc and /var/lib directories
• Security check for/usr/bin/dhcprenew binary. If found checker notifies server administrator
• Security improvement for sudo. It is now limited to vesta scripts only and doesn't allow admin to execute any other command
• Security improvement: admin password and database passwords are generated individually
• Security improvement: new installer doesn't use c.vestacp.com as source for the configuration files. Configs are bundled inside vesta package
• Security improvement: installer doesn't send any information to vestacp.com after successful installation. It used to send distro name for usage statistics.

[root@static ~]# yum update vesta\*
Loaded plugins: fastestmirror
base                                                                                                               | 3.6 kB  00:00:00
elasticsearch-2.x                                                                                                  | 2.9 kB  00:00:00
epel/x86_64/metalink                                                                                               |  20 kB  00:00:00
epel                                                                                                               | 3.2 kB  00:00:00
extras                                                                                                             | 3.4 kB  00:00:00
mariadb                                                                                                            | 2.9 kB  00:00:00
remi                                                                                                               | 2.9 kB  00:00:00
remi-php70                                                                                                         | 2.9 kB  00:00:00
remi-safe                                                                                                          | 2.9 kB  00:00:00
updates                                                                                                            | 3.4 kB  00:00:00
vesta                                                                                                              | 2.9 kB  00:00:00
(1/13): base/7/x86_64/group_gz                                                                                     | 166 kB  00:00:00
(2/13): epel/x86_64/group_gz                                                                                       |  88 kB  00:00:00
(3/13): extras/7/x86_64/primary_db                                                                                 | 204 kB  00:00:00
(4/13): epel/x86_64/updateinfo                                                                                     | 933 kB  00:00:00
(5/13): remi/primary_db                                                                                            | 2.2 MB  00:00:00
(6/13): elasticsearch-2.x/primary_db                                                                               | 9.3 kB  00:00:00
(7/13): remi-php70/primary_db                                                                                      | 216 kB  00:00:00
(8/13): epel/x86_64/primary                                                                                        | 3.6 MB  00:00:00
(9/13): mariadb/primary_db                                                                                         |  65 kB  00:00:00
(10/13): remi-safe/primary_db                                                                                      | 1.3 MB  00:00:00
(11/13): vesta/x86_64/primary_db                                                                                   |  83 kB  00:00:00
(12/13): base/7/x86_64/primary_db                                                                                  | 5.9 MB  00:00:01
(13/13): updates/7/x86_64/primary_db                                                                               | 6.0 MB  00:00:01
Determining fastest mirrors
 * base: mirror.wiuwiu.de
 * epel: ftp.uni-stuttgart.de
 * extras: mirror.23media.de
 * remi: mirror.23media.de
 * remi-php70: mirror.23media.de
 * remi-safe: mirror.23media.de
 * updates: mirror.wiuwiu.de
epel                                                                                                                          12741/12741
Resolving Dependencies
--> Running transaction check
---> Package vesta.x86_64 0:0.9.8-22 will be updated
---> Package vesta.x86_64 0:0.9.8-23 will be an update
---> Package vesta-nginx.x86_64 0:0.9.8-22 will be updated
---> Package vesta-nginx.x86_64 0:0.9.8-23 will be an update
---> Package vesta-php.x86_64 0:0.9.8-22 will be updated
---> Package vesta-php.x86_64 0:0.9.8-23 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================
 Package                             Arch                           Version                           Repository                     Size
==========================================================================================================================================
Updating:
 vesta                               x86_64                         0.9.8-23                          vesta                         2.6 M
 vesta-nginx                         x86_64                         0.9.8-23                          vesta                         297 k
 vesta-php                           x86_64                         0.9.8-23                          vesta                          12 M

Transaction Summary
==========================================================================================================================================
Upgrade  3 Packages

Total download size: 15 M
Is this ok [y/d/N]: y
Downloading packages:
Delta RPMs disabled because /usr/bin/applydeltarpm not installed.
(1/3): vesta-nginx-0.9.8-23.x86_64.rpm                                                                             | 297 kB  00:00:01
(2/3): vesta-0.9.8-23.x86_64.rpm                                                                                   | 2.6 MB  00:00:04
(3/3): vesta-php-0.9.8-23.x86_64.rpm                                                                               |  12 MB  00:00:16
------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                     855 kB/s |  15 MB  00:00:17
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Updating   : vesta-php-0.9.8-23.x86_64                                                                                              1/6
  Updating   : vesta-0.9.8-23.x86_64                                                                                                  2/6
  Updating   : vesta-nginx-0.9.8-23.x86_64                                                                                            3/6
  Cleanup    : vesta-0.9.8-22.x86_64                                                                                                  4/6
  Cleanup    : vesta-php-0.9.8-22.x86_64                                                                                              5/6
  Cleanup    : vesta-nginx-0.9.8-22.x86_64                                                                                            6/6
  Verifying  : vesta-0.9.8-23.x86_64                                                                                                  1/6
  Verifying  : vesta-nginx-0.9.8-23.x86_64                                                                                            2/6
  Verifying  : vesta-php-0.9.8-23.x86_64                                                                                              3/6
  Verifying  : vesta-0.9.8-22.x86_64                                                                                                  4/6
  Verifying  : vesta-nginx-0.9.8-22.x86_64                                                                                            5/6
  Verifying  : vesta-php-0.9.8-22.x86_64                                                                                              6/6

Updated:
  vesta.x86_64 0:0.9.8-23                   vesta-nginx.x86_64 0:0.9.8-23                   vesta-php.x86_64 0:0.9.8-23

Complete!
[root@static ~]#