All VestaCP installations being attacked Topic is solved

[maman]

When you are an attacker, and when you scan a milion of IP addresses, you don't have 15 minutes per one IP (to scan all 65535 ports)... you just check 22, 8083, eventualy 2022 or 2222, and then you go to next IP...

maybe if i'm the attacker i will not do like that.
here's what i will do instead:
From that millions ip i need to filter which is using VESTACP (maybe by fecthing each http://[IP-ADDRESS] and see which has 'Powered by VESTA' in it).
So for that millions ip maybe I get 5000 IP that uses VESTA using that 1 fingerprint. Now the the target is way way way smaller to do the port scanning.

[dpeca]

maybe if i'm the attacker i will not do like that.
here's what i will do instead:
From that millions ip i need to filter which is using VESTACP (maybe by fecthing each http://[IP-ADDRESS] and see which has 'Powered by VESTA' in it).
So for that millions ip maybe I get 5000 IP that uses VESTA using that 1 fingerprint. Now the the target is way way way smaller to do the port scanning.

Maybe that can explain how servers with changed port get hacked...

[pqpk2009]

I have 3 servers with vesta. Only 1 is attacked.Always the same server. 2 servers are working well (they are in the same host), that attacked is in other host. I rebuild it many times, changed ip server, hostname, password, ssh port, permit root login without-password but each day it is attacked... I don't know how solve this situation....

Admin account default password change?
If there is no modification, the password generation algorithm is cracked.

[Spheerys]

How can I check if my server is compromised ?

[pqpk2009]

How can I check if my server is compromised ?

It seems that there is no way to know DDOS after hijacking attacks China's servers.

[httpd]

Official comments from vesta developers whether will written?

[flanders]

I rebuild my server. Now I changed the vestacp port too (only access with key, custom ssh port, protocol 2) it is working from 2 days for me. The only difference from the last attack is the vestacp port.

[kandalf]

How can we know if our server is compromised?

[mehargags]

None of the panels uses Nginx as reverse proxy to Apache... thats a big plus for Vesta hands down. The biggest reason for performance on a default config. Atleast that was the most attractive point for me 5 years back when I started using it

[Akinola]

My dev server got compromise as the password for admin user got changed, lucky I had the shell for admin user set to rssh so that attempt to run the payload in /var/tmp got blocked.

Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure

Here the virustotal of the payload https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.

Thanks for the link.