Got 10 VestaCP servers exploited

[deanhills]

I'd like to thank the Admin for their hard work. Couldn't have been easy the last three days. I've every confidence they'll sort this out as most of the Admin have been around for many years and care about their script.

I've seen lots of discussion about the possibility of the script having been infected - is there proof that it has been infected and has this now been sorted out? Also are the Admin completely confident that the updated installation script is clean and we can use it for new servers? In your opinion what part of the installation script would be the focus of hackers? For example, I don't use the e-mail and FTP systems of VestaCP as I find that e-mails in particular are targeted by hackers. I wonder whether that could be the reason my VPSs have not been hacked?

Secondly, someone suggested that the hackers targeted IP ranges. Were those specific location ranges and what were those locations?

Finally I'm a bit puzzled about the updates. I thought that we're all on automatic updates by default? All of my VestaCP Panels have always been on automatic updates. I'm just asking as I see plenty of posts about getting patches and updates, and as far as I could see from my VestaCP Panels they were all automatically updated on 8th of April. If they have been automatically updated is there still a need for a patch?

[fxtoofaan]

After update to 0.9.8-20 now I am not able to login to my vestacp admin page. My websites seem to be still online. Did the update change the management port or something? not sure why I cannot login now. Any help ?

[huloza]

After update to 0.9.8-20 now I am not able to login to my vestacp admin page. My websites seem to be still online. Did the update change the management port or something? not sure why I cannot login now. Any help ?

Restart vesta from cli
service vesta restart

[fxtoofaan]

[/quote]
Restart vesta from cli
service vesta restart
[/quote]

that worked, thank you.

[nextgi]

Hi Everyone,

We have put together a survey to help us better understand the general configuration in relation to some of the working theories. If you have suggestions to broaden the survey, please let us know.

https://goo.gl/forms/qXtzd6nZFrKNw7DN2

We greatly appreciate any input.

[pipoy]

Hi Everyone,

We have put together a survey to help us better understand the general configuration in relation to some of the working theories. If you have suggestions to broaden the survey, please let us know.

https://goo.gl/forms/qXtzd6nZFrKNw7DN2

We greatly appreciate any input.

It's private

[nextgi]

Hi Everyone,

We have put together a survey to help us better understand the general configuration in relation to some of the working theories. If you have suggestions to broaden the survey, please let us know.

https://goo.gl/forms/qXtzd6nZFrKNw7DN2

We greatly appreciate any input.

It's private

Haha, thanks. It should be open now.

[mehargags]

even after you clean the trojan, your system is still infected from what i see.
systemd (process 1) still creates supicious files under /tmp while all other directories are still clean.
but this is speculating now

Can you name the files/dir that you see as suspicious in your /tmp ?

[MiguelVESTACP]

I dont know if my server is hacked but now i have this problem at least 3 days

Failed to create subdirectories: /var/log/httpd/20180410/20180410-0243

Can someone tell me what is attributes for the folders in centos ?
"var/log/httpd"
"var/log"

[wildwolf]

I dont know if my server is hacked but now i have this problem at least 3 days

Failed to create subdirectories: /var/log/httpd/20180410/20180410-0243

Can someone tell me what is attributes for the folders in centos ?
"var/log/httpd"
"var/log"

Code: Select all

# ls -lhad /var/log
drwxr-xr-x. 18 root root 4.0K кві  9 03:20 /var/log
# ls -lhad /var/log/httpd
drwx------ 2 root root 4.0K гру 15  2014 /var/log/httpd