Got 10 VestaCP servers exploited
-
- Posts: 21
- Joined: Tue Sep 05, 2017 12:39 pm
Re: Got 10 VestaCP servers exploited
THanks @wildwolf
How to chmood /var/log/httpd
drwx------ 2
Best Regards
How to chmood /var/log/httpd
drwx------ 2
Best Regards
-
- Posts: 21
- Joined: Tue Sep 05, 2017 12:39 pm
Re: Got 10 VestaCP servers exploited
ANd what is the attributes for the
/var/log/httpd/domains/
Best Regards
/var/log/httpd/domains/
Best Regards
Re: Got 10 VestaCP servers exploited
MiguelVESTACP wrote: ↑Tue Apr 10, 2018 7:52 amTHanks @wildwolf
How to chmood /var/log/httpd
drwx------ 2
Best Regards
Code: Select all
chmod 0700 /var/log/httpd
Re: Got 10 VestaCP servers exploited
it was many little files with strange content, inside folders starting with "systemd" but it was not coming from the virus.
i checked and double-checked that it has nothing todo with it.
i had the idea because the virus started spreadign via systemd first.
but systemd is clean now.
and i just filled out the poll. only similar thing i could figure from it, is that i had the roundcube on the default /webmail path.
pleas dont tell me its coming from there.... i was so close to disable this crap, but my clients forced me to have their webmail.......
Re: Got 10 VestaCP servers exploited
Any chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?
All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.
Re: Got 10 VestaCP servers exploited
+1 , the complete way the exploit happened should be made public so that there is a chance to verify that the actions taken are sufficient and also enable to do more auditing to see if there are similar things which could become a problem in the future.Harambe wrote: ↑Tue Apr 10, 2018 10:10 amAny chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?
All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.
Re: Got 10 VestaCP servers exploited
My servers weren’t affected. But my answers are:kobo1d wrote: ↑Mon Apr 09, 2018 3:55 pm1) yesvishne0 wrote: ↑Mon Apr 09, 2018 3:51 pmThere are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?
The above two questions will sort few things. I will post my report once I will have answers. Also if anyone need any help to clean the server or migration ping me. Cleaning will be free :)
Regards
2) no - no password login and no root user - no pam
i am using pubkeys
1) No
2) Yes
I used a different SSH port (not the default 22). But the Vesta webGUI was on the default port 8083.
Re: Got 10 VestaCP servers exploited
I'd like to see a proper statement too. What was the outcome of the investigation by the Admin. @skurudo? This doesn't tell me much - on the one hand it says there wasn't a problem, but we know there is/was a problem. What was the problem and is the installation script 100% secure now?Harambe wrote: ↑Tue Apr 10, 2018 10:10 amAny chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?
All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.
Re: Got 10 VestaCP servers exploited
+1 i would love to have a full and clear overview of what happend.
i want to understand and learn from it. everybody can do a fail sometimes, it doesnt matter whos fault it was.
but please give us mor infos!
also, when i updated my debian 9 yesterday while you fixed the deb rep -> is there any difference to how it looks today?
i mean if the update succeeded yesterday, do i have all recent files now? or are there again changes in deb rep from yesterday to today?
and is vesta now 100% secure or should we better leave webmail disabled for now (since you asked about in the poll)
and is it better to leave the vesta service stopped for now?