Got 10 VestaCP servers exploited

[sandy]

viewtopic.php?f=10&t=16558&p=68543
some more info about the attack

[lukapaunovic]

This matter needs to be looked into by core of VestaCP team immediately.
it's the matter of time when other providers and server will get hacked.
We need fix ASAP

[sandy]

This matter needs to be looked into by core of VestaCP team immediately.
it's the matter of time when other providers and server will get hacked.
We need fix ASAP

some will even suspend the server permanently

[Prime]

While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)

[sandy]

While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)

or :

Code: Select all

service vesta stop

[sandy]

this time exploit is severe resulting outbound ddos attack. And 99% of hosts doesn't allow it on there network

[skid]

While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)

or :

Code: Select all

service vesta stop

This is the best way to stay safe until we find out the reason and release the update. Thanks for positing it.

[skid]

If your server got hacked please send us root access to [email protected] so we can take a look and inspect it. Thanks

[Prime]

While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)

or :

Code: Select all

service vesta stop

Even better for the moment being:

Code: Select all

systemctl stop vesta && systemctl disable vesta

And when it's fixed:

Code: Select all

systemctl enable vesta && systemctl start vesta

Just in case you need to do a reboot or what not, so the service stays off :)

[StudioMaX]

Just to think: when logging in through the web interface to Vesta, a session file should be created, right? And all of them located in /usr/local/vesta/data/sessions
As I understand the web interface internals, PHP will check that we have "user" variable inside the session (https://github.com/serghey-rodin/vesta/ ... /index.php), otherwise it will redirect to the Login page.
What I mean - I looked through all the session files in notepad, and search them for variable "user", and it exist only in the sessions created by me (my IP address exists in "user_combined_ip" variable). Therefore, this exploit is either not related to the web interface, or it directly calls some public scripts that do not require authorization.