All VestaCP installations being attacked Topic is solved

[digitalocean-jd]

I'm having a lot of SSH penetration attempts since this morning, coming from everywhere.

Frankly it would surprising if you didn't before. Most of us get thousands+ per day on every computer connected to the internet.

[dpeca]

Yes, login attempts are something that is happening nonstop...

[realjumy]

I just published some random attempts. But I never had this many coming from the EU...

[albertus]

Hello,

Everyone running SSH on port 22? Did anyone here get hacked while having SSH firewalled by IP or running on a non-standard port?

Thank you

[dpeca]

He obviously entered via SSH because he deleted /var/log/secure and auth.log .
But mistery is HOW he got SSH.

[albertus]

He obviously entered via SSH because he deleted /var/log/secure and auth.log .
But mistery is HOW he got SSH.

No, not that obvious to me, dpeca. There are things called "callback" that connect from the inside to the outside giving a shell. So, if people having SSH off got hacked I would look for something like that.

[mericson]

Hi, 21 servers hacked , all hosted by OVH. All of them with random ports.
We really need to have feedback about what was the issue and how it worked, until then , our servers are going back to plesk :(

Was there any evidence of port scanning prior to the attack targeting the VestaCP port? There must have been port scanning if the ports were truly random (each server with a different random port).

[lexusextreme]

My Vestacp (installed from 12/9/2018, Ubuntu 18.04) also was hacked.
I got an email from VPS provider they said my server was used for DDOS attack and Vesta CP was the cause of the issue.

[realjumy]

Hi, 21 servers hacked , all hosted by OVH. All of them with random ports.
We really need to have feedback about what was the issue and how it worked, until then , our servers are going back to plesk :(

Was there any evidence of port scanning prior to the attack targeting the VestaCP port? There must have been port scanning if the ports were truly random (each server with a different random port).

All my servers were objective of port scanning since always. The matter is if they managed to enter that way.

Can anyone confirm that fail2ban works properly?

[slaapkopamy]

Hi, 21 servers hacked , all hosted by OVH. All of them with random ports.
We really need to have feedback about what was the issue and how it worked, until then , our servers are going back to plesk :(

Was there any evidence of port scanning prior to the attack targeting the VestaCP port? There must have been port scanning if the ports were truly random (each server with a different random port).

All my servers were objective of port scanning since always. The matter is if they managed to enter that way.

Can anyone confirm that fail2ban works properly?

to bad for me.. I turned fail2ban off weeks ago because of the much ram usage... I added a second ip address and now running via a extra firewall for filtering my network traffic, its now little bit safer to use i hope