All VestaCP installations being attacked Topic is solved

[Prime_]

Now we are working under fix

Errr, what about all the passwords that were sent in something similar to plaintext to your servers? This reply is honestly not going to cut it.

[harry]

This just proves that it is the time to move on, VestaCP was great, but we just can't trust it anymore. As a developer for most of my life I can state that there is literally NO reason to EVER send a password somewhere, encrypted or not.

[harry]

I now start to think that the security hole that came up back in April could've been made intentionaly too.
I've also checked this fork https://github.com/madeITBelgium/vesta and it seems promising, as it is updated nearly every day and does not use the repositories of Vesta. I'm going to switch to VirtualMin soon though

[skid]

I'm sorry about inactivity in this post from our side. It was a complex issue and we were not sure we understand the whole picture. Leak in the installer is just one piece of the puzzle. All pieces together lead to cumulative effect.

The issue number one
Our infrastructure server was hacked. Presumably using API bug in the release 0.9.8-20. The hackers then changed all installation scripts to log admin password and ip as addition to the distro name we used to collect stats.

Please check if your server IP here
>>>>> http://vestacp.com/test/?ip=127.0.0.1 <<<<<

If it's there you should change admin passwords as soon as possible. Also please make sure there is no /usr/bin/dhcprenew binary installed on your server. This binary is some sort of trojan that is able to launch remote DDoS attack or open shell to your server

Code: Select all

root@localhost:~! strings /usr/bin/dhcprenew
last-modified
If-Modified-Since:%s
http://193.201.224.238:8852/RTEGFN01;http://zxcvbmnnfjjfwq.com:8852/RTEGFN01;http://efbthmoiuykmkjkjgt.com:8852/RTEGFN01
/data/local/tmp/tmp.l

When launched it hides as [kworker/1:1] process

Code: Select all

root      3308  0.0  0.0    272    52 ?        Ss   Sep24   0:00 [kworker/1:1]
root      3362  0.0  0.1   5596  1296 ?        Ss   Sep24   0:09 [kworker/1:1]
root      3363  0.0  0.0   5248   940 ?        S    Sep24   0:12  \_ [kworker/1:1]

The issue number two
However the first issue didn't explain few affected servers. Luckily security experts from https://arcturussecurity.com helped us to uncover another security vulnerability.

The new release will be available in next few hours.
I will keep you posted

[harry]

Thank you for the explanation, it explains pretty much most of the things. Glad the project is not dead.
A suggestion for future: aim for total transparency, update users more, use HTTPS on the repository and config servers, make r.vestacp.com and c.vestacp.com browsable so users could see when certain file was changes.

[skid]

Thank you for the explanation, it explains pretty much most of the things. Glad the project is not dead.
A suggestion for future: aim for total transparency, update users more, use HTTPS on the repository and config servers, make r.vestacp.com and c.vestacp.com browsable so users could see when certain file was changes.

Thank you for suggestions. Remote config server c.vestacp.com is now deprecated. The server is still up and running but the new installer doesn't use it anymore. All service configuration files are installed from the vesta package.

Code: Select all

VESTA='/usr/local/vesta'
release=$(grep -o "[0-9]" /etc/redhat-release |head -n1)
codename="${os}_$release"
vestacp="$VESTA/install/$VERSION/$release"

....

cp -f $vestacp/httpd/httpd.conf /etc/httpd/conf/

The package is built using github repo as the config source. And we believe Github provides the best tracking for config changes. When package is ready it is signed using pgp and then pushed to the r.vestacp.com or apt.vestacp.com package repository.

In other words we have
- eliminated the risk that c.vestacp.com could affect new installations in any way
- removed distro stats notification from the installer to avoid any related risks

[chrisf]

Any further information? Awaiting the update.

[skid]

Finally the new release is available.
Please update your server as soon as possible.

Release notes for 0.9.8-23
- Security fix for timing attack on password reset. Thanks to https://arcturussecurity.com
- Security fix for v-open-fs-config. Its visibility is limited to /etc and /var/lib directories
- Security check for/usr/bin/dhcprenew binary. If found checker notifies server administrator
- Security improvement for sudo. It is now limited to vesta scripts only and doesn't allow admin to execute any other command
- Security improvement: admin password and database passwords are generated individually
- Security improvement: new installer doesn't use c.vestacp.com as source for the configuration files. Configs are bundled inside vesta package
- Security improvement: installer doesn't send any information to vestacp.com after successful installation. It used to send distro name for usage statistics.

[Stesh]

For Centos:

Code: Select all

yum update vesta\*

[someuser]

Code: Select all

[root@vpszcka ~]# yum update vesta
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.hosting90.cz
 * epel: mirror.spreitzer.ch
 * extras: mirror.hosting90.cz
 * remi: remi.schlundtech.de
 * remi-php55: remi.schlundtech.de
 * remi-php56: remi.schlundtech.de
 * remi-safe: remi.schlundtech.de
 * remi-test: remi.schlundtech.de
 * updates: mirror.hosting90.cz
No packages marked for update

It's Okay?