Vesta Control Panel - Forum

Well, the information you gave is not complete... Was only one site hacked or you find multiple sites hacked? It looks more like an insecure site being targetted for malware injections. You can: 1. Restore your site from a backup and then secure it. 2. Use Clamscan or Maldet to check your site files...

while this is ofc some good advice and true that it is dangerous to have them open, i got hacked with disabled exec and shell_exec. system, passthru, proc_open and popen was enabled? Luckily, I had only one server hacked with gcc.sh shit, I was able to clean the infection without a format. This ser...

I, personally, have one question for all administrators whose server got hacked. Did you disabled dangerous PHP functions (like shell() and exec()) with "disable_functions" in php.ini ? Well, I did not disable them...BUT I also have a counter question: Vesta's internal PHP is different than systemw...

Post problems and errors with detail, this is too little info to help you.

I'm sure someone updatded VestaCP internal PHP from 5 to 7. Can't remember exactly but I think someone did this long time back... you may want to search the forum.

You would want to sync the entire /home/* presuming you setup exactly same VestaCP users and domains under them.
You also need to sync Database, which is not possible using rsync, you have to use MySQL replication for DBs to sync

nsuro
so can you write a "sed" statement as in my Tutorial above... and then we can test this on our servers. If all is good, I will include that in my tutorial above.

Thanks alot for your keen eyes and contribution... above all your love for Vesta.

Security is always a cat and mouse chase...never ends. The whole "hoopla" is about a security flaw within VestaCP code that allowed an attacker to gain access and inject processes into your server that would DDos other servers. This was responsibility of the Vesta Developers and so they updated the ...

@nsuro Fail2ban doesn't monitor ports, it merely reads auth logs and counts the retries done there to ban the suspected IPs You can alter that file, but I don't that would make any difference. Maybe the devs can suggest best settings here. @plutocrat Yes please suggest this on Git or http://bugs.ves...

kobo1d wrote: ↑

Mon Apr 09, 2018 6:44 pm

even after you clean the trojan, your system is still infected from what i see.
systemd (process 1) still creates supicious files under /tmp while all other directories are still clean.
but this is speculating now

Can you name the files/dir that you see as suspicious in your /tmp ?