All VestaCP installations being attacked Topic is solved

[iddir]

I suggest switching to SSH key only login which according to me is a really simple and best fix without worrying about new hacks as I have experienced it.

Hi, i have been hacked in april/may and now again (yesterday, 2 Clouds) and i'm only using SSH key to log. So you won't be safe for this hack even if you are using ssh key.

EDIT: vesta installed since august for both cloud that has been hacked yesterday.

i now remember another hack from the 1st august were i did DDOS to the same IP as other people who have been hacked in september (myself included).

Attack detail : 10Kpps/81Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags packets bytes reason
2018.08.01 10:33:41 CEST 176.31.115.152:13003 144.0.2.180:80 TCP SYN

This one was installed since january and got hacked the 1st august

[Liam]

Here's the attack log my provider gave me, with my VM's IP Address being replaced with <VM IP>.

Code: Select all

ipv4 2 tcp 6 40 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=12558 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=12558 mark=0 secmark=0 use=2
ipv4 2 tcp 6 2 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=62127 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=62127 mark=0 secmark=0 use=2
ipv4 2 tcp 6 92 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=33896 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=33896 mark=0 secmark=0 use=2
ipv4 2 tcp 6 26 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=29526 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=29526 mark=0 secmark=0 use=2
ipv4 2 tcp 6 45 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=47494 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=47494 mark=0 secmark=0 use=2
ipv4 2 tcp 6 98 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=11174 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=11174 mark=0 secmark=0 use=2
ipv4 2 tcp 6 70 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=649 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=649 mark=0 secmark=0 use=2
ipv4 2 tcp 6 35 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=6718 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=6718 mark=0 secmark=0 use=2
ipv4 2 tcp 6 42 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=21999 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=21999 mark=0 secmark=0 use=2
ipv4 2 tcp 6 95 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=5797 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=5797 mark=0 secmark=0 use=2
ipv4 2 tcp 6 17 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=46857 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=46857 mark=0 secmark=0 use=2
ipv4 2 tcp 6 81 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=53976 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=53976 mark=0 secmark=0 use=2
ipv4 2 tcp 6 22 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=59385 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=59385 mark=0 secmark=0 use=2
ipv4 2 tcp 6 117 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=42659 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=42659 mark=0 secmark=0 use=2
ipv4 2 tcp 6 18 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=55428 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=55428 mark=0 secmark=0 use=2
ipv4 2 tcp 6 61 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=55477 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=55477 mark=0 secmark=0 use=2

I hope this is the same vulnerability and not another unknown exploit. These stopped when I changed my SSH port, changed the 'admin' password and installed CSF with SYNFLOOD protection. I have VestaCP's GUI turned off while we still have no idea what's going on.

If there are any logs the admins wish to see I'd be more than happy to check my infected instance and pass them on.

[dpeca]

I suggest switching to SSH key only login which according to me is a really simple and best fix without worrying about new hacks as I have experienced it.

Better idea - https://www.ostechnix.com/allow-deny-ss ... oup-linux/

Code: Select all

vi /etc/ssh/sshd_config
#add
PermitRootLogin without-password
DenyUsers admin

systemctl restart sshd

WARNING: GENERATE and GET root SSH key before you do this!!!

but anyway this will not prevent system compromising if somewhere he can execute shell commands...

[Maverick87Shaka]

@realjumy can you try to edit you original post adding a poll asking the infected server? Maybe It's help to understand how many server was infected.

Just a simple question on Number of server infected, and people select how many of their server was infected ;)

[pksh71]

Dear All,

All my VPS at OVH is attacked and is suspended by OVH this happened on 24-sep-2018. we have almost 103 VPS in OVH.
We have no way to get our data out from OVH VPS as they dont allow us.
what can we do?

regards

[ScIT]

Dear All,

All my VPS at OVH is attacked and is suspended by OVH this happened on 24-sep-2018. we have almost 103 VPS in OVH.
We have no way to get our data out from OVH VPS as they dont allow us.
what can we do?

regards

i dont know a lot about OVH, but I think you can ask them to boot the server in rescue mode to recover your data - just contact their support.

[httpd]

Dear All,

All my VPS at OVH is attacked and is suspended by OVH this happened on 24-sep-2018. we have almost 103 VPS in OVH.
We have no way to get our data out from OVH VPS as they dont allow us.
what can we do?

regards

Support of firstvds.ru can block all ports for my vps, except ssh, and them turn on server. Maybe you can trought this way?

[mp2017]

Also got a notification from AWS that my server is involved into DoS on that chinese IP - i've checked and confirm that my server is compromised and Vesta is not opening.
starting to getting tired of this s#it.

[luizjr]

That's seems a CRITICAL issue. I need to identify that.

Please @vestacp team, if you need any help, don't hesitate to contact me!

As it is an open source and has knowledge for such, you can rather help and show them the solution.

The faster the better.

[luizjr]

In what datacenter are those servers?

Mine and my friends' are in OVH. I don't know other people.

Mine too
On average 10 servers