Vesta Control Panel - Forum

There are already Vesta alternatives for Ubuntu and Debian.

If you want to focus on a single distro, i hope it is Centos and it's variants (Almalinux and Rocky Linux).

There is also a fork of Vesta that works on RHEL based distros. In this case, it works with Centos 7, Centos Stream 8, Alma Linux 8 and Rocky Linux 8. https://github.com/madeITBelgium/vesta PS: In less than 2 years, Centos 7 will go EOL, and since VestaCP doesn't support newer versions of RHEL based...

Is Serghey back?

It has been about a month since the 1st post regarding the exploited servers. At a result of the exploits, one patch was issued. We also know some of the code was reviewed by Rack911labs (Patrick) and he noticed several root compromise vulnerabilities (6). I know that many users are running with th...

I always disable exec, system, popen, proc_open and shell_exec.

Sent off 6 security vulnerabilities to [email protected] with 3 of those leading to a easy root compromise. The other 3 are still very serious flaws, password / hash disclosures, etc.

I'll send off more once they fix those.

This is Patrick from Rack911 Labs, a Software Security Auditing company.

Found this in my nginx-error.log 2018/04/09 03:52:05 [error] 8641#0: *32 "/usr/local/vesta/web/_asterisk/index.php" is not found (2: No such file or directory), client: 46.161.55.106, server: _, request: "GET /_asterisk/ HTTP/1.1", host: "myip:8083" Wow this is exactly the same i got. Same IP and o...

Only my dev vps was infected and after cleaning it up and updating vesta, today i got a log in the nginx-error.log: 2018/04/09 03:55:52 [error] 1124#0: *8 "/usr/local/vesta/web/_asterisk/index.php" is not found (2: No such file or directory), client: 46.161.55.106, server: _, request: "GET /_asteris...

First of all, there was no reports about hacks on 0.9.8-20. Please update your servers as soon as possible. For those who are interested in technical details here is how authentication model looked like in previous releases: - PHP script /api/index.php receives user password via POST request - then...

pipoy wrote: ↑

Tue Apr 10, 2018 12:28 pm

Interesting.

But I never updated since January or February, so it means the virus was inside our servers this whole time waiting to be activated.

What makes you say that?