Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
if the backdoor really is not shipped from the rep, it can be only a serious bug inside vestacp service, no matter which port you run and if its protected or not.
and i cant figure out how that should be possible...
until its clear and the update fully available, i still sugesst to stop your vesta main service.
and i cant figure out how that should be possible...
until its clear and the update fully available, i still sugesst to stop your vesta main service.
Re: Got 10 VestaCP servers exploited
they can do port scan , so it does not matter if you were using 8083 or not ,pipoy wrote: ↑Mon Apr 09, 2018 2:58 pmRevengeFNF wrote: ↑Mon Apr 09, 2018 2:50 pmThat doesn't explain how people that did have port 8083 blocked were hacked, because it means there was no access to the Web UI.n0x wrote: ↑Mon Apr 09, 2018 2:43 pm
I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.
This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:
Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.Code: Select all
Hardening password checks Auth fix
True. I had a different port in 1 of my server and still got hacked.
Re: Got 10 VestaCP servers exploited
good that my vps is safe :) . now hope they approve security enhancements , months ago multiple time i suggests 2 factor auths and google captcha but they decline it , childish arguments they give , i do not want to enter captcha for my own panel , now here you go hope you learned lesson
Re: Got 10 VestaCP servers exploited
Tell me please, how would an extra anti-bruteforce mechanism prevent this hack from happening? Fail2ban is already doing that job in way that's less annoying to the user.darkworks wrote: ↑Mon Apr 09, 2018 3:24 pmgood that my vps is safe :) . now hope they approve security enhancements , months ago multiple time i suggests 2 factor auths and google captcha but they decline it , childish arguments they give , i do not want to enter captcha for my own panel , now here you go hope you learned lesson
I myself am against captcha at login time. That's the dumbest non-security enhancing nuisance that happened to the internet as of late.
-
- Posts: 3
- Joined: Fri Dec 16, 2016 3:46 pm
- Os: Ubuntu 15x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
i have not heard anyone bypassed Google Authenticator. its looks safe to me , also its not about perfect security , it add security layer , it slow down attackers a bit , better than nothing.
Re: Got 10 VestaCP servers exploited
There are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?
The above two questions will sort few things. I will post my report once I will have answers. Also if anyone need any help to clean the server or migration ping me. Cleaning will be free :)
Regards
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?
The above two questions will sort few things. I will post my report once I will have answers. Also if anyone need any help to clean the server or migration ping me. Cleaning will be free :)
Regards
Re: Got 10 VestaCP servers exploited
1) yesvishne0 wrote: ↑Mon Apr 09, 2018 3:51 pmThere are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?
The above two questions will sort few things. I will post my report once I will have answers. Also if anyone need any help to clean the server or migration ping me. Cleaning will be free :)
Regards
2) no - no password login and no root user - no pam
i am using pubkeys
Re: Got 10 VestaCP servers exploited
looks like my vps was also hit from china but fail2ban blocked IP : 210.13.64.18
CPU usage normal and no suspicious process ,
Code: Select all
2018-04-09 06:27:38,027 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 202.120.79.106
2018-04-09 06:27:39,766 fail2ban.actions[471]: WARNING [ssh] Unban 202.120.79.106
2018-04-09 06:27:49,026 fail2ban.actions[471]: WARNING [exim-iptables] Ban 212.237.41.14
2018-04-09 06:37:49,613 fail2ban.actions[471]: WARNING [exim-iptables] Unban 212.237.41.14
2018-04-09 08:06:16,480 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 49.171.119.51
2018-04-09 08:06:19,376 fail2ban.actions[471]: WARNING [ssh] Ban 49.171.119.51
2018-04-09 08:11:26,819 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 42.7.26.88
2018-04-09 08:11:29,672 fail2ban.actions[471]: WARNING [ssh] Ban 42.7.26.88
2018-04-09 08:16:17,122 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 49.171.119.51
2018-04-09 08:16:19,949 fail2ban.actions[471]: WARNING [ssh] Unban 49.171.119.51
2018-04-09 08:21:27,452 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 42.7.26.88
2018-04-09 08:21:30,227 fail2ban.actions[471]: WARNING [ssh] Unban 42.7.26.88
2018-04-09 10:07:29,325 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 42.7.26.16
2018-04-09 10:07:32,074 fail2ban.actions[471]: WARNING [ssh] Ban 42.7.26.16
2018-04-09 10:17:29,926 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 42.7.26.16
2018-04-09 10:17:32,646 fail2ban.actions[471]: WARNING [ssh] Unban 42.7.26.16
2018-04-09 13:12:28,610 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 183.145.216.122
2018-04-09 13:22:29,213 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 183.145.216.122
2018-04-09 17:05:58,800 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 218.65.30.25
2018-04-09 17:15:59,423 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 218.65.30.25
2018-04-09 19:36:13,155 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 103.99.0.200
2018-04-09 19:46:13,749 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 103.99.0.200
2018-04-09 20:42:33,873 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 210.13.64.18
2018-04-09 20:52:34,472 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 210.13.64.18
Last edited by darkworks on Mon Apr 09, 2018 4:04 pm, edited 3 times in total.
Re: Got 10 VestaCP servers exploited
No, sorry, I disagree. That's maybe marginally useful for a situation where someone already has your password, and is now trying to log in to your account. For the type of exploit that happened here, Google Authenticator, along with fail2ban would be useless. There were no attempts to log in, the password was irrelevant. This was an exploit – a targeted way to gain access to a system which only requires 1 try.
And if it's not about perfect security, why put more road blocks in my way as a user as well? That's just inconvenience without benefit.