My VPS was used for DDOS Attacks

Question

I got an email from my hosting provider telling me that my VPS was used to perform DDOS attacks on this website: cpanel4.vhosting-it.com. Unfortunately I haven't read their email sooner, so they suspended my account.

Here's the log that they receive from the attacked website.

Before reactivating my VPS, I want to know how can I find the shell script used to perform the attack and how the attacker gained access to my VPS? how can I protect my VPS after reactivating it?

I'm using Ubuntu 18.04 + nginx + ISPConfig.

Edit1:

My hosting provider is waiting for my report explaining the issue and the measures I made to prevent similar incidents in the future.

Edit2: ok, so after regaining access to my vps, I've found this: 1- nginx can't start it give me some error after checking the journalctl I found that ispconfig was down after a php file was uploaded to upload folder 2- after login to my server through ftp I found that hundreds of php files and folders were created!!! in principal it's another php file but renamed and with small modifications in some variables. 3- the index.php file was also modified 4- kaspersky mark those php files as viruses (Trojan.PHP.Agent.uo)

So What I did, is: 1- removed all those php files 2- installed wordfence and made a scan then repaired all repairable files and deleted others. 3- I'll backup my DB and some critical files then reinstall my vps.

score 0 · Answer 1 · answered Apr 22 '20 at 19:00

0

I want to know how can I find the shell script used to perform the attack

Check Logs

Here is a list of some logs you could look at:

/var/log/messages # General message and system related stuff
/var/log/auth.log # Authenication logs
/var/log/kern.log # Kernel logs
/var/log/cron.log # Crond logs
/var/log/maillog # Mail server logs
/var/log/boot.log # System boot log
/var/log/mysqld.log # MySQL database server log file
/var/log/qmail # Qmail log directory
/var/log/httpd # Apache access and error logs directory
/var/log/lighttpd # Lighttpd access and error logs directory
/var/log/secure # Authentication log
/var/log/utmp # Login records file
/var/log/wtmp # Login records file
/var/log/yum.log # Yum command log file
/var/log/nginx # Nginx

Check Bash History

cat ~/.bash_history

A big caveat here is that these are well known log locations and depending on the access the attacker gained, they may have cleared them. This is a start though and may give you some insight as to what happened.

answered Apr 22 '20 at 19:00

iraleigh

326
2
11

Thank you for your answer. I'll check those logs and see what I can find – brackhap Apr 22 '20 at 19:04
@brackhap please share if you find any more details/weird activity in the logs. It will help the community give a more accurate answer for your other questions "How the attacker gained access?" and "What can I do to prevent it happening again?" – iraleigh Apr 22 '20 at 19:13
@i-raleigh Thank you, I've posted some updates. – brackhap Apr 23 '20 at 02:40
@brackhap I'm glad to see you got to the bottom of the issue – iraleigh Apr 23 '20 at 04:41
@i-raleigh Thank you very much. I really appreciate your help. Regards – brackhap Apr 24 '20 at 01:05

user5994461 · Answer 2 · 2020-04-22T19:51:53.080

Is it this website? https://www.equilibrioebenessere.eu/

Is it running with WordPress? From the logs you provided, the attacker was actively scanning for WordPress vulnerabilities and must have found one. Taking full control of your server.

Looks like a small site for a spa. I bet this is not carefully monitored and kept up to date with security patches.

Strongly recommend that you backup your WordPress website ASAP. You are lucky the content is not deleted already. It should be restorable on any fresh installation of WordPress.

https://wordpress.com/ provides fully managed WordPress hosting. Recommend that you use a managed WordPress hosting like that, rather than deploy and maintain WordPress yourself. Otherwise delete your VPS and create it again from scratch and restore.

I am not going into how to clean an infected server. It's likely the attacker is running trojan/rootkit on the server and that will be extremely hard to cleanup. Even if cleaned of malware, the vulnerability that gave full control to the attacker is still there and could be re-used any minute to take back full control of the server.

thank you for your answer. https://www.equilibrioebenessere.eu is not my website, and I don't know what it has to do with this attack. the attacked site which made complaint is https://cpanel4.vhosting-it.com . I'm hosting 3 website on my vps two of them uses wordpress and one is using osclass. — brackhap, Apr 22 '20 at 20:07

My VPS was used for DDOS Attacks

2 Answers2