Two servers are hacked today via Vestacp

[really]

This happened on Debian 8.1 as well, so I doubt it's OS dependent.

I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.

In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.

See the top alert? The team has released a security fix, build 20.

That top alert is about as useful as soggy bread :) it doesn't link to anything, and the repos are still not populated.

[really]

This happened on Debian 8.1 as well, so I doubt it's OS dependent.

I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.

In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.

after installation stop vesta service or change the port to else

I stopped it on my other VPSes but they were not part of the IP blocks that were targeted. Got lucky there.

[baoang]

This happened on Debian 8.1 as well, so I doubt it's OS dependent.

I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.

In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.

See the top alert? The team has released a security fix, build 20.

That top alert is about as useful as soggy bread :) it doesn't link to anything, and the repos are still not populated.

I though it, the alert at the top bar is just a reminder that VPSers can update to the latest build. I just logged in onto the panel and did an update, but after the update was complete in a blink, I suspended my domain and well, just wait, and see if this exploit issue will have some other consequences. Guess this attack could last for a while.

The fortunate, I'd say, is that I have another backup VPS and when I found my machine not working properly, I dont know if it is related, I set up that backup and have my job not fully interrupted.

And how about you? Is that severe?

[Messiah]

The topic is a duplicate of
viewtopic.php?f=10&t=16556

Please update or at least restrict access to VestaCP panel using vesta nginx config file. Changing default port is not a good solution.

[kobo1d]

i got hacked on debian 9 with blocked port 8083 -> only available to my ip via iptables (tested and working)
only fix until u can use the vestacp updater again is to stop the vesta service!

[really]

See the top alert? The team has released a security fix, build 20.

That top alert is about as useful as soggy bread :) it doesn't link to anything, and the repos are still not populated.

I though it, the alert at the top bar is just a reminder that VPSers can update to the latest build. I just logged in onto the panel and did an update, but after the update was complete in a blink, I suspended my domain and well, just wait, and see if this exploit issue will have some other consequences. Guess this attack could last for a while.

The fortunate, I'd say, is that I have another backup VPS and when I found my machine not working properly, I dont know if it is related, I set up that backup and have my job not fully interrupted.

And how about you? Is that severe?

The VPS that got hacked was not running anything critical so I just let it be. What I did do however is limit # of connections, and all traffic via iptables and it was fine. I backed up my stuff, and wiped my VPS.

The main issue however is that the vesta-* packages are not available in the repo anymore, that's why I'm saying that I cannot reinstall at all.

But you have the right idea for sure, multiple instances serving the same thing, maybe even a haproxy setup if you wanted to get fancy ;)

[neuropass]

The topic is a duplicate of
viewtopic.php?f=10&t=16556

Please update or at least restrict access to VestaCP panel using vesta nginx config file. Changing default port is not a good solution.

would you be so kind to explain how to do this under Ubuntu please?

[Messiah]

The fastest way to protect yourself is to stop VestaCP service:

Code: Select all

service vesta stop

or

Code: Select all

systemctl stop vesta && systemctl disable vesta

Restrict access:
edit

Code: Select all

/usr/local/vesta/nginx/conf/nginx.conf

Find

Code: Select all

listen 8083;

You may try to change it no different port, not forget to add it to firewall exceptions before doing it.
Also you may put

Code: Select all

allow 1.2.3.4;
deny all;

in your server { } block.
Also you may put die(); to the top of

Code: Select all

/usr/local/vesta/web/api/index.php

since I believe it's vulnerable for old versions. I won't copy instructions how to update your panel from the nearby located topic since I did not try it personally and I wont update until it will be prooved to be stable.

[baoang]

That top alert is about as useful as soggy bread :) it doesn't link to anything, and the repos are still not populated.

I though it, the alert at the top bar is just a reminder that VPSers can update to the latest build. I just logged in onto the panel and did an update, but after the update was complete in a blink, I suspended my domain and well, just wait, and see if this exploit issue will have some other consequences. Guess this attack could last for a while.

The fortunate, I'd say, is that I have another backup VPS and when I found my machine not working properly, I dont know if it is related, I set up that backup and have my job not fully interrupted.

And how about you? Is that severe?

The VPS that got hacked was not running anything critical so I just let it be. What I did do however is limit # of connections, and all traffic via iptables and it was fine. I backed up my stuff, and wiped my VPS.

The main issue however is that the vesta-* packages are not available in the repo anymore, that's why I'm saying that I cannot reinstall at all.

But you have the right idea for sure, multiple instances serving the same thing, maybe even a haproxy setup if you wanted to get fancy ;)

https://www.lowendtalk.com/discussion/1 ... h-released
This post, and someone said

if you see the gcc.sh note the timestamp and check for files with the same timestamp or changed from then.
the binary also might be found in /lib/libudev.so instead of /usr/lib/libudev.so

I was happy, because I updated mine to build 20, and I didn't find that libudev under /usr/lib dir. When I read the above lines, I tried again to locate the dir at /lib/libudev.so, and this time, you guess!


Now I see why I encountered weird problems a couple of days ago. It's not the phpBB3 problem, and it's not my SSL certificate. My box has been hacked. And that's why I turned to another panel and everything goes ok.

Now I'll have to change my CloudFlare API info, because I use the API key to renew my SSL... and my phpBB database and my Gmail account password for smtp sending-out emails!

[MiguelVESTACP]

How can i check if my server is hacked?