Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
Of course. However, I hope that you see my point.
Just because my server had VestaCP running on it, it was indiscriminately blocked on the network from making outgoing requests, as well as having the 8083 port blocked. I don't mind the port blocking, but the outgoing requests block broke my apps. Worst part is, I'm not one of the compromised ones - I could certainly understand in that case.
Re: Got 10 VestaCP servers exploited
Completely agree, really bad decision by DO.Galaxian wrote: ↑Mon Apr 09, 2018 8:40 pmOf course. However, I hope that you see my point.
Just because my server had VestaCP running on it, it was indiscriminately blocked on the network from making outgoing requests, as well as having the 8083 port blocked. I don't mind the port blocking, but the outgoing requests block broke my apps. Worst part is, I'm not one of the compromised ones - I could certainly understand in that case.
Re: Got 10 VestaCP servers exploited
Galaxian, may I suggest you another cheap VPS hosting?
My server was hacked, while removing a virus something crashed and I can not login any more. The support answers "they are doing something, just wait" and it's a 24 hours passed already. All this time my server still DDOS'ing somebody and nobody cares haha
My server was hacked, while removing a virus something crashed and I can not login any more. The support answers "they are doing something, just wait" and it's a 24 hours passed already. All this time my server still DDOS'ing somebody and nobody cares haha
Re: Got 10 VestaCP servers exploited
That's quite concerning.BartMan__X wrote: ↑Mon Apr 09, 2018 8:07 pmi didnt have any problems untill i ran the update this morning .. a few min. ago i got an email from my VPS host (OVH) that my VPS has been suspended.
From: OVH Support
Dear Customer,
Abnormal activity has been detected on your VPS vps177337.vps.ovh.ca.
As this constitutes a breach of contract, your virtual server
has been blocked.
You will find the logs brought up by our system below, which led to this alert.
- START OF ADDITIONAL INFORMATION -
Attack detail : 10Kpps/71Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags packets bytes reason
2018.04.09 19:34:51 CEST MY_VPS_IP:1813 59.56.66.67:8811 TCP SYN 2048 1828864 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:43509 59.56.66.67:8811 TCP SYN 2048 1820672 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:57337 59.56.66.67:8811 TCP SYN 2048 1894400 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:57087 59.56.66.67:8811 TCP SYN 2048 1839104 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:51152 59.56.66.67:8811 TCP SYN 2048 1824768 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:28409 59.56.66.67:8811 TCP SYN 2048 1900544 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:60568 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:38289 59.56.66.67:8811 TCP SYN 2048 1902592 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:25782 59.56.66.67:8811 TCP SYN 2048 1867776 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:28951 59.56.66.67:8811 TCP SYN 2048 1873920 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:5011 59.56.66.67:8811 TCP SYN 2048 1865728 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:2420 59.56.66.67:8811 TCP SYN 2048 1828864 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:19935 59.56.66.67:8811 TCP SYN 2048 1910784 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:56914 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:55014 59.56.66.67:8811 TCP SYN 2048 1884160 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:17569 59.56.66.67:8811 TCP SYN 2048 1896448 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:64671 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:17837 59.56.66.67:8811 TCP SYN 2048 1837056 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:60514 59.56.66.67:8811 TCP SYN 2048 1875968 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:9150 59.56.66.67:8811 TCP SYN 2048 1845248 ATTACK:TCP_SYN
- END OF ADDITIONAL INFORMATION -
OVH Customer Support.
OVH Support
Call us at: 1-855-OVH-LINE (684-5463)
24/7/365
[ref=1.661c9fff]
Did you have port 8083 opened after upgrade? Did you have the vesta service up after the upgrade?
Re: Got 10 VestaCP servers exploited
Everybody who just installed or updated the panel, please check any command via terminal like
v-change-domain-owner or v-change-sys-hostname without parameters, it outputs an error like
v-change-domain-owner or v-change-sys-hostname without parameters, it outputs an error like
P.S. Deb 8/func/main.sh: No such file or directory
Re: Got 10 VestaCP servers exploited
DigitalOcean just refused to unblock my outgoing traffic, even though I remain unaffected by the security vulnerability.
They totally ignored the initial message where I told them I'd already changed port. I am also unable to update Vesta because of the outbound traffic block.Hello and thank you for contacting DigitalOcean!
I'm sorry to hear you've been seeing this issue. We don't have any ETA at the moment as VestaCP hasn't solved the issue fully on their end. We closed port 8083 by default at this time due to a vulnerability with VestaCP. You can read more about that here:
https://do.co/vesta-vuln
I would recommend setting your Droplet to use a different port for VestaCP. Here’s an explainer on how to do that:
https://www.lowendguide.com/3/security/ ... ce-part-2/
You may also want to look into below link for update from VestaCP to have your Droplet patched:
viewtopic.php?f=10&t=16556&start=260#p68893
Please let us know if you have any other questions or if there's anything we can do to help.
Re: Got 10 VestaCP servers exploited
Tired to update on debian 9
Code: Select all
v-update-sys-vesta-all
Error: vesta update failed
Error: vesta-nginx update failed
Error: vesta-php update failed
Error: vesta-ioncube update failed
Error: vesta-softaculous update failed
Re: Got 10 VestaCP servers exploited
Code: Select all
apt-get updateCode: Select all
v-update-sys-vesta-allRe: Got 10 VestaCP servers exploited
I managed to sort my problem. However, when I updated VestaCP through the web interface, it jumped to 'bad gateway' and now refuses to connect. Anyone know of this problem?
Edit: Simply restarting the vesta service worked. Vesta-nginx was not running for some reason.
Edit: Simply restarting the vesta service worked. Vesta-nginx was not running for some reason.
Last edited by Galaxian on Mon Apr 09, 2018 10:27 pm, edited 1 time in total.
-
BartMan__X
- Posts: 13
- Joined: Tue Jan 16, 2018 2:58 am
- Os: CentOS 6x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
nope changed port 8083 to 6073Andei wrote: ↑Mon Apr 09, 2018 9:02 pmThat's quite concerning.BartMan__X wrote: ↑Mon Apr 09, 2018 8:07 pmi didnt have any problems untill i ran the update this morning .. a few min. ago i got an email from my VPS host (OVH) that my VPS has been suspended.
From: OVH Support
Dear Customer,
Abnormal activity has been detected on your VPS .
As this constitutes a breach of contract, your virtual server
has been blocked.
You will find the logs brought up by our system below, which led to this alert.
- START OF ADDITIONAL INFORMATION -
Attack detail : 10Kpps/71Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags packets bytes reason
2018.04.09 19:34:51 CEST MY_VPS_IP:1813 59.56.66.67:8811 TCP SYN 2048 1828864 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:43509 59.56.66.67:8811 TCP SYN 2048 1820672 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:57337 59.56.66.67:8811 TCP SYN 2048 1894400 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:57087 59.56.66.67:8811 TCP SYN 2048 1839104 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:51152 59.56.66.67:8811 TCP SYN 2048 1824768 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:28409 59.56.66.67:8811 TCP SYN 2048 1900544 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:60568 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:38289 59.56.66.67:8811 TCP SYN 2048 1902592 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:25782 59.56.66.67:8811 TCP SYN 2048 1867776 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:28951 59.56.66.67:8811 TCP SYN 2048 1873920 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:5011 59.56.66.67:8811 TCP SYN 2048 1865728 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:2420 59.56.66.67:8811 TCP SYN 2048 1828864 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:19935 59.56.66.67:8811 TCP SYN 2048 1910784 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:56914 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:55014 59.56.66.67:8811 TCP SYN 2048 1884160 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:17569 59.56.66.67:8811 TCP SYN 2048 1896448 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:64671 59.56.66.67:8811 TCP SYN 2048 1892352 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:17837 59.56.66.67:8811 TCP SYN 2048 1837056 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:60514 59.56.66.67:8811 TCP SYN 2048 1875968 ATTACK:TCP_SYN
2018.04.09 19:34:51 CEST MY_VPS_IP:9150 59.56.66.67:8811 TCP SYN 2048 1845248 ATTACK:TCP_SYN
- END OF ADDITIONAL INFORMATION -
OVH Customer Support.
OVH Support
Call us at: 1-855-OVH-LINE (684-5463)
24/7/365
[ref=1.661c9fff]
Did you have port 8083 opened after upgrade? Did you have the vesta service up after the upgrade?