All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
maybe if i'm the attacker i will not do like that.
here's what i will do instead:
From that millions ip i need to filter which is using VESTACP (maybe by fecthing each http://[IP-ADDRESS] and see which has 'Powered by VESTA' in it).
So for that millions ip maybe I get 5000 IP that uses VESTA using that 1 fingerprint. Now the the target is way way way smaller to do the port scanning.
Re: All VestaCP installations being attacked
Maybe that can explain how servers with changed port get hacked...maman wrote: ↑Mon Oct 01, 2018 11:54 ammaybe if i'm the attacker i will not do like that.
here's what i will do instead:
From that millions ip i need to filter which is using VESTACP (maybe by fecthing each http://[IP-ADDRESS] and see which has 'Powered by VESTA' in it).
So for that millions ip maybe I get 5000 IP that uses VESTA using that 1 fingerprint. Now the the target is way way way smaller to do the port scanning.
Re: All VestaCP installations being attacked
Admin account default password change?flanders wrote: ↑Mon Oct 01, 2018 11:08 amI have 3 servers with vesta. Only 1 is attacked.Always the same server. 2 servers are working well (they are in the same host), that attacked is in other host. I rebuild it many times, changed ip server, hostname, password, ssh port, permit root login without-password but each day it is attacked... I don't know how solve this situation....
If there is no modification, the password generation algorithm is cracked.
Re: All VestaCP installations being attacked
How can I check if my server is compromised ?
Re: All VestaCP installations being attacked
Official comments from vesta developers whether will written?
Re: All VestaCP installations being attacked
I rebuild my server. Now I changed the vestacp port too (only access with key, custom ssh port, protocol 2) it is working from 2 days for me. The only difference from the last attack is the vestacp port.
Re: All VestaCP installations being attacked
How can we know if our server is compromised?
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: All VestaCP installations being attacked
None of the panels uses Nginx as reverse proxy to Apache... thats a big plus for Vesta hands down. The biggest reason for performance on a default config. Atleast that was the most attractive point for me 5 years back when I started using it
Re: All VestaCP installations being attacked
Thanks for the link.Razza wrote: ↑Tue Sep 25, 2018 4:55 pmMy dev server got compromise as the password for admin user got changed, lucky I had the shell for admin user set to rssh so that attempt to run the payload in /var/tmp got blocked.
Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure
Here the virustotal of the payload https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.