All VestaCP installations being attacked Topic is solved

[trom]

I need work servers
How change vesta port?

[realjumy]

I need work servers
How change vesta port?

My servers had the port changed. They still were compromised.

[dpeca]

In what datacenter are those servers?

[realjumy]

In what datacenter are those servers?

Mine and my friends' are in OVH. I don't know other people.

[MrCraac]

Hi, 21 servers hacked , all hosted by OVH. All of them with random ports.
We really need to have feedback about what was the issue and how it worked, until then , our servers are going back to plesk :(

[lukapaunovic]

I just want to report I have two customers whose servers were recently reinstalled and everything was clean. They got hacked and their server suspended for outbound DoS
They had mod_security with Comodo WAF rules implemented on apache.... also maldetect... chkrootkit...
And also had these functions disabled. The sites weren't under admin account. Passwords were strong, clients weren't using nulled.

Code: Select all

disable_functions = "pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,show_source,system,passthru,shell_exec,proc_open,popen,phpinfo"

There seems to be a major security breach in VESTA. This cannot be coincidental. Two servers, same time. it means it was the same entry-point (similar like the one before in Roundcube). This needs to be investigated ASPAP.

[realjumy]

I just want to report I have two customers whose servers were recently reinstalled and everything was clean. They got hacked and their server suspended for outbound DoS
They had mod_security with Comodo WAF rules implemented on apache.... also maldetect... chkrootkit...
And also had these functions disabled. The sites weren't under admin account. Passwords were strong, clients weren't using nulled.

Code: Select all

disable_functions = "pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,exec,show_source,system,passthru,shell_exec,proc_open,popen,phpinfo"

There seems to be a major security breach in VESTA. This cannot be coincidental. Two servers, same time. it means it was the same entry-point (similar like the one before in Roundcube). This needs to be investigated ASPAP.

Which provider were they using?

[lukapaunovic]

OVH....
They are always being targeted, along with Digital Ocean.
Some people who use Hetzner aren't having issues because bots aren't scanning those IP ranges.
They are just 'lucky'. That doesn't mean issue/vulnerability is not present.

[trom]

I use servers on different hosters problem at all

If port change dont help i think we need hide or block login on vesta panel from web
but HOW ?

I noticed that on one server when i try to open :8083/login/
i see 502 erorr
this erorr was only in one hoster and appeared today

[realjumy]

I use servers on different hosters problem at all

If port change dont help i think we need hide or block login on vesta panel from web
but HOW ?

I noticed that on one server when i try to open :8083/login/
i see 502 erorr
this erorr was only in one hoster and appeared today

Try withouth the /login, and also check that it's the right port.

If that doesn't work, probably the provider stopped your VM.