We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Search found 33 matches
- Sun Apr 08, 2018 6:25 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 658324
Re: Got 10 VestaCP servers exploited
Alright, Another update. This issue seems to be with roundcube. We are not seeing any typical communications with VestaCPs admin interface that would indicate it was compromised. However, we are still investigating the issue. For those of you that have compromised systems. We would love an opportun...
- Sun Apr 08, 2018 3:16 pm
- Forum: Общие вопросы
- Topic: Возможная уязвимость в Vesta 0.9.8.19
- Replies: 236
- Views: 137078
Re: Возможная уязвимость в Vesta 0.9.8.19
Пока не выпустят фикс: viewtopic.php?p=68556#p68556
- Sun Apr 08, 2018 1:39 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 658324
Re: Got 10 VestaCP servers exploited
*deleted*
- Sun Apr 08, 2018 12:44 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 658324
- Sun Apr 08, 2018 12:24 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 658324
Re: Got 10 VestaCP servers exploited
Then I think we can eliminate the theory that Roundcube is the fault here. Then why "/tmp/update" was launched from the working directory of Roundcube? [root@mail /]# lsof -p 985 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME update 985 root cwd DIR 182,178001 4096 786628 /usr/share/roundcubema...
- Sun Apr 08, 2018 12:19 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 658324
Re: Got 10 VestaCP servers exploited
don't aim roundcube as the exploit i don't have roundcube on my servers even phpmyadmin, i disabled them and deleted it still got hacked. Do you mean you manually deleted already installed applications? Because Roundcube is installed automatically if you install the exim and the mysql, it can not b...
- Sun Apr 08, 2018 12:13 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 658324
Re: Got 10 VestaCP servers exploited
Can you check what version of Roundcube that is on the system? On my installation I had the latest version - 1.3.5 Are you suspecting on that file S90update - is a culprit.? What is the contents of that S90update file? /etc/rc.d/rc1.d/S90update /etc/rc.d/rc2.d/S90update /etc/rc.d/rc3.d/S90update /e...
- Sun Apr 08, 2018 12:06 pm
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 658324
Re: Got 10 VestaCP servers exploited
Also I have good news: I binary compared all the files in two backups of the whole server, one from 03-04-2018 (before infection), the other from 07-04-2018. And it seems that this exploit did not modify any system files, but only created these: /etc/cron.hourly/gcc.sh /etc/rc.d/init.d/update /etc/r...
- Sun Apr 08, 2018 11:54 am
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 658324
Re: Got 10 VestaCP servers exploited
A bit more info: My /etc/cron.hourly/gcc.sh file was modified on 04.04.2018 16:25:00 I've analyzed the modified /var/lib/mysql/roundcube/session.ibd file, which was modified at the same time on 04.04.2018 16:24:56 In SQL dump of this "session" table from "roundcube" database I found new session at t...
- Sun Apr 08, 2018 10:24 am
- Forum: General Discussion
- Topic: Got 10 VestaCP servers exploited
- Replies: 548
- Views: 658324
Re: Got 10 VestaCP servers exploited
i didn't understand if vestacp team already gotten SOME BUNCH OF HACKED SERVER FOR TESTING why they are still resting ? Because there are no any information that would tell the cause of the infection of the servers, I tried to find it myself. In existing logs, there are no other authorizations, no ...