Vesta Control Panel - Forum

Understood, However, According to log entries, our network IDS and IPS logs, and a few other tid bits this is the current working theory on our end. We certainly need more servers that have been affected to test with and investigate. Volunteers?????? Your theory really doesn't make much sense at th...

soguor wrote: ↑

Sun Apr 08, 2018 4:52 pm

I kown the risk, but can't have this servers stopped.

Kill the vesta service at least if you want to keep the machine running.

Hi, I've two vps on ovh with attack, I downloaded the three last backups of vesta from /backup and was reinstalled the S.O. (Debian 9) with vestacp. I was restore the backup on new installation and change port of vestacp. At the moment, i monitoring and don't see anything wrong. On my VPSs, the arc...

Wonder how many hosts that are infected, considering this... Our engineering team continues to work to resolve the networking issue impacting our NYC regions. We believe a previously undisclosed vulnerability in software by some customers on their Droplets is allowing for denial of service (DoS) att...

Are you using VestaCP? Why would I post here if I don't use it? I've got VestaCP running on one of my not-so-important servers for the past few years, but due to this problem I am likely migrating over all content and sites to Plesk. I don't feel confident having public or private API's for that ma...

I've mentioned it before, but the patches that will be released now are not a fix for the actual problem - as it stands right now VestaCP is insecure by it's design. As far as I know, basically the entire API and all commands in the background run on the user "admin", that have sudo rights and thus ...

I think the main issue here is the fact that the API runs as root... that is a major security hole alone.

I'm setting up a Honeypot server on a VPS right now and we'll see how it goes. I'm not very hopeful as my other installation of Vesta is running behind same network and wasn't attacked.

Then I think we can eliminate the theory that Roundcube is the fault here. Then why "/tmp/update" was launched from the working directory of Roundcube? [root@mail /]# lsof -p 985 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME update 985 root cwd DIR 182,178001 4096 786628 /usr/share/roundcubema...

I'm cheering it's not roundcube cuz another server didn't got hacked again with disabled Vesta. I'm still keeping this hacked server mounted in rescue until sergehey is back. I truly hope he will be back my client is insisting on puting sites back up Mine isn't hacked either and I've been running V...