All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
I need work servers
How change vesta port?
How change vesta port?
Re: All VestaCP installations being attacked
In what datacenter are those servers?
Re: All VestaCP installations being attacked
Hi, 21 servers hacked , all hosted by OVH. All of them with random ports.
We really need to have feedback about what was the issue and how it worked, until then , our servers are going back to plesk :(
We really need to have feedback about what was the issue and how it worked, until then , our servers are going back to plesk :(
Last edited by MrCraac on Tue Sep 25, 2018 2:31 pm, edited 1 time in total.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: All VestaCP installations being attacked
I just want to report I have two customers whose servers were recently reinstalled and everything was clean. They got hacked and their server suspended for outbound DoS
They had mod_security with Comodo WAF rules implemented on apache.... also maldetect... chkrootkit...
And also had these functions disabled. The sites weren't under admin account. Passwords were strong, clients weren't using nulled.
There seems to be a major security breach in VESTA. This cannot be coincidental. Two servers, same time. it means it was the same entry-point (similar like the one before in Roundcube). This needs to be investigated ASPAP.
They had mod_security with Comodo WAF rules implemented on apache.... also maldetect... chkrootkit...
And also had these functions disabled. The sites weren't under admin account. Passwords were strong, clients weren't using nulled.
Code: Select all
disable_functions = "pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,show_source,system,passthru,shell_exec,proc_open,popen,phpinfo"
Re: All VestaCP installations being attacked
Which provider were they using?lukapaunovic wrote: ↑Tue Sep 25, 2018 2:30 pmI just want to report I have two customers whose servers were recently reinstalled and everything was clean. They got hacked and their server suspended for outbound DoS
They had mod_security with Comodo WAF rules implemented on apache.... also maldetect... chkrootkit...
And also had these functions disabled. The sites weren't under admin account. Passwords were strong, clients weren't using nulled.
There seems to be a major security breach in VESTA. This cannot be coincidental. Two servers, same time. it means it was the same entry-point (similar like the one before in Roundcube). This needs to be investigated ASPAP.Code: Select all
disable_functions = "pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,show_source,system,passthru,shell_exec,proc_open,popen,phpinfo"
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: All VestaCP installations being attacked
OVH....
They are always being targeted, along with Digital Ocean.
Some people who use Hetzner aren't having issues because bots aren't scanning those IP ranges.
They are just 'lucky'. That doesn't mean issue/vulnerability is not present.
They are always being targeted, along with Digital Ocean.
Some people who use Hetzner aren't having issues because bots aren't scanning those IP ranges.
They are just 'lucky'. That doesn't mean issue/vulnerability is not present.
Re: All VestaCP installations being attacked
I use servers on different hosters problem at all
If port change dont help i think we need hide or block login on vesta panel from web
but HOW ?
I noticed that on one server when i try to open :8083/login/
i see 502 erorr
this erorr was only in one hoster and appeared today
If port change dont help i think we need hide or block login on vesta panel from web
but HOW ?
I noticed that on one server when i try to open :8083/login/
i see 502 erorr
this erorr was only in one hoster and appeared today
Re: All VestaCP installations being attacked
Try withouth the /login, and also check that it's the right port.trom wrote: ↑Tue Sep 25, 2018 3:23 pmI use servers on different hosters problem at all
If port change dont help i think we need hide or block login on vesta panel from web
but HOW ?
I noticed that on one server when i try to open :8083/login/
i see 502 erorr
this erorr was only in one hoster and appeared today
If that doesn't work, probably the provider stopped your VM.