Got 10 VestaCP servers exploited

[yoko eagle]

imperio, skid and other VESTA Stuff,
Please consider offering an option for certificate-based access to VESTA Panel!

When enabled, only the persons with the correct certificate installed in their browsers can be presented with VESTA Panel at https://[FQDN]:8083

You also can add custom additional security layer to vesta login using htaccess similar auth.
create your password directory similar to /home/admin/.htaccess/vesta/login
in the directory create a password file

Code: Select all

printf "USER:$(openssl passwd -crypt PASSWORD)\n" >> .htpasswd

USER : your choosen username
PASSWORD : your choosen password

open /usr/local/vesta/nginx/conf/nginx.conf and locate this string

Code: Select all

        location / {
            expires max;
            index   index.php;
        }

change it to

Code: Select all

        location / {
        auth_basic "Restricted Login";
        auth_basic_user_file /home/admin/.htaccess/vesta/login/.htpasswd;
            expires max;
            index   index.php;
        }
        
        location ~ /\. { deny  all; }

Hope this can help.

[kobo1d]

good morning.
are we getting somewhere with the poll?
i mean could you (vesta staff) retrive some similarieties or shrink the vector area?
i kinda want to move on with my life, but without assurance i cant leave my server out of view.

or is there a place you guys having "private" discussions?
i might be able to help you, as i digged much :)

[vishne0]

Hello All,
Watching the thread since Saturday and also had 1 server infected out of 15. After working hard since Sunday I am now ready to explain few things to everyone here and share my experience which might help people facing issues. Just for the people who are not technical enough and running the server which is infected and need someone to help please let me know and I will help. There will be no charges for fixing the server.

Every piece of software out there have some vulnerabilities like Microsoft , Facebook ,Cpanel, Plesk all so no need to blame vestacp.

I am now running a new server with latest vestacp since last 24 hours and no infection yet nor any alarm for the same.
Here are the steps to make sure you are secure
1) If the server is infected move to a new server, you just cant trust the old one.
2) Once the new server is installed and up running change the vestacp port to anything you want in the file /usr/local/vesta/nginx/conf/nginx.conf search for 8083 and change it. Make sure you open the new port in your firewall.
3) Run SSH on different port and if possible use keys. Disable root logins as well
5) Download Linux Environment Security https://www.rfxn.com/projects/linux-env ... -security/ and run it
6) Download Linux malware detect http://www.rfxn.com/downloads/maldetect-current.tar.gz and once installed run maldet -a / and see the report after that run it in monitor mode maldet --monitor / (make sure you make changes in /usr/local/maldet.conf and enter your email id to see the reports in your email)
7) This is the most important thing - Install config server firewall from https://configserver.com/cp/csf.html. This is the most important script for securing the server. On one of my server csf was installed and it didnt get infected cause csf marked it a suspicious file and disabled all the binaries and sent an alert to me. Read the conf file carefully and enable the rules as needed most importantly enable DIR watch and FILE watch. If need help please do let me know I will provide my csf conf file.
8) Block CN (China) in firewall if you do not have customers from that country.
9) To track outgoing traffic install ntopng the best traffic monitoring app.
Cause of above I didnt see any infection however seeing lots of blocked IPs :)

Hope this will help you all !!

[kobo1d]

5) Download Linux Environment Security https://www.rfxn.com/projects/linux-env ... -security/ and run it
6) Download Linux malware detect http://www.rfxn.com/downloads/maldetect-current.tar.gz and once installed run maldet -a / and see the report after that run it in monitor mode maldet --monitor / (make sure you make changes in /usr/local/maldet.conf and enter your email id to see the reports in your email)

your links alarming my antivirus! mainly link at point 6.

[vishne0]

well seems like you got a nasty antivirus these tools are most secured and trusted ones. which one you are using?

[kobo1d]

well seems like you got a nasty antivirus these tools are most secured and trusted ones. which one you are using?

Code: Select all

*
* AVG Real-time Shield Scan Report
* This file is generated automatically
*
* Started on: Saturday, April 7, 2018 8:50:11 AM
*

11.04.2018 10:37:25	https://www.rfxn.com/downloads/maldetect-current.tar.gz|>https:\\www.rfxn.com\downloads\maldetect-current.tar|>maldetect-1.6.2\files\sigs\rfxn.yara [L] PHP:Agent-BS [Trj] (0)

[vishne0]

ah its checking the .sig files and marking them as malware. These tools are safe to use.. rest is on you..

[dsystem]

7) This is the most important thing - Install config server firewall from https://configserver.com/cp/csf.html. This is the most important script for securing the server. On one of my server csf was installed and it didnt get infected cause csf marked it a suspicious file and disabled all the binaries and sent an alert to me. Read the conf file carefully and enable the rules as needed most importantly enable DIR watch and FILE watch. If need help please do let me know I will provide my csf conf file.

Thank you for the tips. I also like CSF and I believe I have not had problems with this security flaw, because I have CSF installed on my servers.

Can you give more details on how to activate these features you mentioned?

[lukapaunovic]

I think we need mod_security on VestaCP Nginx
that way we could have prevented this.
100%

[whitewind2]

I reinstalled on Sunday. New OS Installed Patch.
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?