Got 10 VestaCP servers exploited

[snakom23]

We need Debian 9 update, trying to update from 0.9.8 but without luck

the same for me.

[pipoy]

Isn't by default that when your firewall is enabled, everything is dropped?

And by default, only the accepted ones are in the FIREWALL tab.

If you already changed your admin port, automatically your 8083 is dropped

I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked

Did you install VestaCP recently?
We are trying to know if their repo was exploited.

My vestas are 3 months old

[RevengeFNF]

My vestas are 3 months old

That is very strange. How the hell they exploited your server?

In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.

[pipoy]

My vestas are 3 months old

That is very strange. How the hell they exploited your server?

In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.

My question is how did they know we are using vesta?

I never gave away my links here in the forum.

[n0x]

Did you install VestaCP recently?
We are trying to know if their repo was exploited.

I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.

This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:

Code: Select all

Hardening password checks
Auth fix

Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.

[n0x]

My vestas are 3 months old

That is very strange. How the hell they exploited your server?

In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.

My question is how did they know we are using vesta?

I never gave away my links here in the forum.

They'll have discovered an exploit in Vesta code base and just run a port scan across IP blocks (probably start with large VM providers like AWS, DO and OVH) for servers with 8083 open and respond with Vesta headers.

[RevengeFNF]

My vestas are 3 months old

That is very strange. How the hell they exploited your server?

In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.

My question is how did they know we are using vesta?

I never gave away my links here in the forum.

The most common way is to ping port 8083. I don't know any other software that uses that port by default.

If they are exploiting servers even with that port blocked, the only way iam currently imagining, is for the Vesta Repo to have been also compromised.
Their repo is also using VestaCP.

[RevengeFNF]

Did you install VestaCP recently?
We are trying to know if their repo was exploited.

I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.

This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:

Code: Select all

Hardening password checks
Auth fix

Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.

That doesn't explain how people that did have port 8083 blocked were hacked, because it means there was no access to the Web UI.

[pipoy]

Did you install VestaCP recently?
We are trying to know if their repo was exploited.

I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.

This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:

Code: Select all

Hardening password checks
Auth fix

Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.

That doesn't explain how people that did have port 8083 blocked were hacked, because it means there was no access to the Web UI.

True. I had a different port in 1 of my server and still got hacked.

[Dexter]

Am a web developer, I manage a number of Vesta for my clients, I offer hosting for each site I dev, if they what there own vps with a panel and if they don't wanting to pay for e.g Cpanel/plesk they get Vesta.

I manage about 20 Vesta based vps on one of the dedi server I run client vp's on, the dedi server got a /27 ip range, over the month and years I've tweak the Vesta installs with edit I do after installs.

One of the edits I've done is get rid of the default installed Roundcube and Phpadmins and move them to there own vhost under a normal user.

Out of the 20 vesta install 12 of them got hacked all had roundcube pre-install under /webmail, the 8 that did not get hacked had Roundcube running as subdomain vhost of a normal user.

All run Vesta panel on stock port the other diffrent the hacked ones had Roundcube pre-installed on /webmail.

Edit, I know the issue was found out to be a issue with login of the Admin panel, But I thinks its a multi-vector issues.