All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
Hi, i have been hacked in april/may and now again (yesterday, 2 Clouds) and i'm only using SSH key to log. So you won't be safe for this hack even if you are using ssh key.
EDIT: vesta installed since august for both cloud that has been hacked yesterday.
i now remember another hack from the 1st august were i did DDOS to the same IP as other people who have been hacked in september (myself included).
Attack detail : 10Kpps/81Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags packets bytes reason
2018.08.01 10:33:41 CEST 176.31.115.152:13003 144.0.2.180:80 TCP SYN
This one was installed since january and got hacked the 1st august
Re: All VestaCP installations being attacked
Here's the attack log my provider gave me, with my VM's IP Address being replaced with <VM IP>.
I hope this is the same vulnerability and not another unknown exploit. These stopped when I changed my SSH port, changed the 'admin' password and installed CSF with SYNFLOOD protection. I have VestaCP's GUI turned off while we still have no idea what's going on.
If there are any logs the admins wish to see I'd be more than happy to check my infected instance and pass them on.
Code: Select all
ipv4 2 tcp 6 40 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=12558 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=12558 mark=0 secmark=0 use=2
ipv4 2 tcp 6 2 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=62127 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=62127 mark=0 secmark=0 use=2
ipv4 2 tcp 6 92 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=33896 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=33896 mark=0 secmark=0 use=2
ipv4 2 tcp 6 26 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=29526 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=29526 mark=0 secmark=0 use=2
ipv4 2 tcp 6 45 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=47494 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=47494 mark=0 secmark=0 use=2
ipv4 2 tcp 6 98 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=11174 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=11174 mark=0 secmark=0 use=2
ipv4 2 tcp 6 70 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=649 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=649 mark=0 secmark=0 use=2
ipv4 2 tcp 6 35 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=6718 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=6718 mark=0 secmark=0 use=2
ipv4 2 tcp 6 42 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=21999 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=21999 mark=0 secmark=0 use=2
ipv4 2 tcp 6 95 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=5797 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=5797 mark=0 secmark=0 use=2
ipv4 2 tcp 6 17 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=46857 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=46857 mark=0 secmark=0 use=2
ipv4 2 tcp 6 81 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=53976 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=53976 mark=0 secmark=0 use=2
ipv4 2 tcp 6 22 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=59385 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=59385 mark=0 secmark=0 use=2
ipv4 2 tcp 6 117 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=42659 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=42659 mark=0 secmark=0 use=2
ipv4 2 tcp 6 18 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=55428 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=55428 mark=0 secmark=0 use=2
ipv4 2 tcp 6 61 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=55477 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=55477 mark=0 secmark=0 use=2
If there are any logs the admins wish to see I'd be more than happy to check my infected instance and pass them on.
Re: All VestaCP installations being attacked
Better idea - https://www.ostechnix.com/allow-deny-ss ... oup-linux/
Code: Select all
vi /etc/ssh/sshd_config
#add
PermitRootLogin without-password
DenyUsers admin
systemctl restart sshd
but anyway this will not prevent system compromising if somewhere he can execute shell commands...
-
- Posts: 4
- Joined: Tue Aug 07, 2018 9:37 am
- Os: Debian 8x
- Web: nginx + php-fpm
Re: All VestaCP installations being attacked
@realjumy can you try to edit you original post adding a poll asking the infected server? Maybe It's help to understand how many server was infected.
Just a simple question on Number of server infected, and people select how many of their server was infected ;)
Just a simple question on Number of server infected, and people select how many of their server was infected ;)
Re: All VestaCP installations being attacked
Dear All,
All my VPS at OVH is attacked and is suspended by OVH this happened on 24-sep-2018. we have almost 103 VPS in OVH.
We have no way to get our data out from OVH VPS as they dont allow us.
what can we do?
regards
All my VPS at OVH is attacked and is suspended by OVH this happened on 24-sep-2018. we have almost 103 VPS in OVH.
We have no way to get our data out from OVH VPS as they dont allow us.
what can we do?
regards
Re: All VestaCP installations being attacked
i dont know a lot about OVH, but I think you can ask them to boot the server in rescue mode to recover your data - just contact their support.
Re: All VestaCP installations being attacked
Support of firstvds.ru can block all ports for my vps, except ssh, and them turn on server. Maybe you can trought this way?
Re: All VestaCP installations being attacked
Also got a notification from AWS that my server is involved into DoS on that chinese IP - i've checked and confirm that my server is compromised and Vesta is not opening.
starting to getting tired of this s#it.
starting to getting tired of this s#it.