All VestaCP installations being attacked Topic is solved

[luizjr]

The same arguments are still here - why EU datracenters is untouched then....

If this is true as 10 of my servants left, being that they are in Montreal in Canada

[dpeca]

I didn't think of OVH datacenters in EU, because it looks like attacker scans all OVH datacenters, including EU datacenters.

I rather thought of EU companies that has EU datacenters... OVH competitors...

Because he obviously knows only OVH IP rangs...
Maybe IP rangs of Digitalocean and AWS too...

[luizjr]

I didn't think of OVH datacenters in EU, because it looks like attacker scans all OVH datacenters, including EU datacenters.

I rather thought of EU companies that has EU datacenters... OVH competitors...

Because he obviously knows only OVH IP rangs...
Maybe IP rangs of Digitalocean and AWS too...

Based on all the information, do you have any idea how to solve it?
I have 2 servers that have been locked back in the air for investigation.

I can share one with you via private message.

[dpeca]

Based on all the information, do you have any idea how to solve it?
I have 2 servers that have been locked back in the air for investigation.

I can share one with you via private message.

Generally, Serghey and Anton do investigations, you can send SSH logins to [email protected]
My rang is 'Collaborator', I'm personally not sure if it means that I'm core developer, even I have permission to push commits directly to official github.
Serghey and Anton probably reviewed a lot machines in last few days, maybe they are busy with doing it.
Let it be your decision if you want to send me login for investigation.
You can send it to [email protected], they will forward it to me if they are busy with other investigations.
Or you can send it to me anyway, I will share with them if they want to investigate too.
You decide, since I'm only 'Collaborator', and since you will share probably sensitive data from server in that case.

Keep in mind that I can do that for 9 hours until now.
(it's 3:48 AM night at my country, it's really late... i must sleep :)

[compiz]

May I add that also my vestacp is being attacked for a few days now, i don't have user pwd for room, just ssh and it seems it is working well for protection but i see all the time exim4 is down and I can't access e-mails nor a few domains, latest one is, I made a nextcloud site and I can't access it at all from nextcloud clients but only from web interface

[bountysite]

hello,

Has anyone been able to detect the vulnerability?
From the updates, it seems like an exploit without login.

[lukapaunovic]

We are at DEFCON 1

[pqpk2009]

I have more than 100 servers that are attacked by VESTA, which is a large number of SSHD attacks.

The server without VESTA is not attacked.

[pqpk2009]

I have more than 100 servers that are attacked by VESTA, which is a large number of SSHD attacks.

The server without VESTA is not attacked.

[maman]

I have 5 servers with OVH in multiple locations. none of them affected.

What i do is I use my own VestaCP Improved installer (CentOS only)

For those of you with other OS you can read what steps I do to hardening VestaCP here:
=> https://github.com/erikdemarco/VestaCP-Improved

Lastly I never never never ever use vestacp default installation without any additional hardening steps.