Seems like it has nothing to do with the VestaCP thing though.
[…] it’s possible to exploit the unsanitized, user-controlled “_uid” parameter (in an archive.php _task=mail&_mbox=INBOX&_action=plugin.move2archive request) to perform an MX (IMAP) injection attack by placing an IMAP command after a %0d%0a sequence
I don’t think you can place files in /etc using IMAP.
What could be done, is placing the file with roundcube. This gets your script on the server. Then use the API on VestaCP to launch the script as admin using sudo to said script. Said script then can do what ever, i.e. install the virus.
Maybe, assuming that part isn’t sanitized partially. It might be easier to use the api to run a command or script like …/…/…/…/tmp/sys*/tmp/gcc.sh
Yeah, just checked. Even in the June 2016 edition the api had some “escapeshallarg()” functions protecting the api. Though it still looks like shit. wants to create for() loops so badly!
Funny a while back he was praising it as doing things right, suddenly it’s a mess. Wasn’t any cleaner back then. I’m not confusing him with someone else am I? Pretty sure it was rack911.
Vestacp is fairly reasonable. There is however some security concerns in the backup system that I had seen.
It is however not a pool of security holes like kloxo or gplhost.
If anything I’d expect it to have more security issues back then, than now. Though I guess he didn’t inspect it too too much. Or Patrick just happened to catch more issues than Steven.
I am saying there was a roundcube config file that had been tampered with. this enabled the attacker to send a request to the webmailer including malicious code as header var ‘accept-charset’, which in the end would be executed through the eval-lines in that config.
you can do that e.g. with a curl request to the /webmail url and adding something like
traces in the logfiles would be a single barely noticable HEAD request without further clues …
this config file including those eval commands is NOT part of any default roundcube install but gets pulled from the vesta config repos during the install process. given the original timestamps of the file it’s been there from some date in december 2017 and got replaced some time after the DDOS happened - but only in the repos and not on the VMs. that’s why I am saying, machines that only got desinfected or maybe even reinstalled directly after the DDOS but before the repo got cleaned, would have been vulnerable until this update now.
for me this also makes sense if you think about the missing pattern on which VMs got hacked - only those that have been installed after december 2017 … got pretty much nothing to do with port 8083 or not, though this of course was the first most common conclusion to be made.
It makes a lot of sense. Up to a certain point the best detail we had was only as strong as an instance of “it kind of looks like the attacker hit roundcube.”
Boxes were being hit left and right and it had been occurring for at least 24 hours before I took down my instances, where I had replaced roundcube with manual installations. I wasn’t hit. That’s not a strong piece of evidence but one I’d toss in a bucket full of all the little pieces we’ve had.