Vesta Control Panel - Forum

Updated to V20 but still monitoring.

for the POST log, it seems like the hacker removed my IP from his pool. No trace of access from him since.

I'm glad to hear. Can't wait to see the commit.

@StudioMaX, could you delete the quote?
I have rebooted my VPS to rescue mode for inspection.

@SS88, Thanks for you suggestion.

Guys, I think the guy from the IP in my previous post is also observing this forum. I should have been more careful posting the IP address. I think he might have already removed my IP from his exploited pool.

Is there any safer channel we can discuss?

@StudioMaX

That's what I'm looking for the how to. lol

Just a few secs after starting Vesta, here what I got from the log:

x.x.x.x - - [08/Apr/2018:09:15:00 -0400] "GET / HTTP/1.1" 302 154 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0"
x.x.x.x - - [08/Apr/2018:09:15:01 -0400] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 ...

Up and running. Finger cross!

Since I'm likely to be hacked again. I will investigate this scenario, the executable file is posted through Roundcube and is run with one of vulnerability in Vesta core. So I will start Vesta service again with log enabled. Hopefully, it is hacked again.

lukapaunovic,

is your server up and running? May I access your log files?

FYI, I have stopped VestaCP service on all of my VPSes at the moment.