We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
doesnt matter. do a
Code: Select all
service vesta stop
blocking the port wont help you, i got hacked with closed port.
-
- Posts: 92
- Joined: Sat Aug 02, 2014 6:50 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
How did you got hacked if the port was closed? With the port closed, there is not access to the Web UI.kobo1d wrote: ↑Mon Apr 09, 2018 12:22 pmdoesnt matter. do auntil the update of vestacp is working again.Code: Select all
service vesta stop
blocking the port wont help you, i got hacked with closed port.
If that is true, the only way iam seeing it, is that Vesta repositories were hacked and people installed an exploited version of Vesta.
When did you installed your VestaCP?
Re: Got 10 VestaCP servers exploited
yes thats how the hack is working. it is installed hidden and leaves no logs on the server. (via rep)wrote: How did you got hacked if the port was closed? With the port closed, there is not access to the Web UI.
If that is true, the only way iam seeing it, is that Vesta repositories were hacked and people installed an exploited version of Vesta.
When did you installed your VestaCP?
i have rkhunter, chkrootkit, clamav, iptables, fail2ban and aide.
none of them reacted so it was installed internally and got by every of the security mechanism.
i installed vesta about 10 days ago on this brand new fresh server.
its ssh secure by pubkey, no root login allowed
vesta webui forced to listen to my ip only (tested and working)
parent id of virus was 1 (systemd)
ALSO i get email on ssh logins. no mails were sent during this time.
and i guess thats why their rep is down now and you cant update currently
Last edited by kobo1d on Mon Apr 09, 2018 12:37 pm, edited 5 times in total.
Re: Got 10 VestaCP servers exploited
I have a different port. Was hacked
-
- Posts: 12
- Joined: Mon May 19, 2014 6:11 am
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
fedekrum wrote: ↑Mon Apr 09, 2018 10:14 amI have just tried to make a new vesta server on Digital Ocean, Ubuntu 16 and got these errors during install.
Hit:1 http://apt.vestacp.com/xenial xenial InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:3 https://repos.sonar.digitalocean.com/apt main InRelease
Hit:4 http://nginx.org/packages/mainline/ubuntu xenial InRelease
Hit:5 http://nyc2.mirrors.digitalocean.com/ubuntu xenial InRelease
Hit:6 http://nyc2.mirrors.digitalocean.com/ubuntu xenial-updates InRelease
Hit:7 http://nyc2.mirrors.digitalocean.com/ubuntu xenial-backports InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package vesta-php
E: Unable to locate package vesta-ioncube
E: Unable to locate package vesta-softaculous
Error: apt-get install failed
Do you think it has to do with this hack or the patch released?
Does anybody know some workaround for this?
Have the same problem on DigitalOcean, Ubuntu.
Re: Got 10 VestaCP servers exploited
wait until the fixed their rep. its down casuse the virus was spread from over thereblackyangell wrote: ↑Mon Apr 09, 2018 12:37 pmfedekrum wrote: ↑Mon Apr 09, 2018 10:14 amI have just tried to make a new vesta server on Digital Ocean, Ubuntu 16 and got these errors during install.
Hit:1 http://apt.vestacp.com/xenial xenial InRelease
Hit:2 http://security.ubuntu.com/ubuntu xenial-security InRelease
Hit:3 https://repos.sonar.digitalocean.com/apt main InRelease
Hit:4 http://nginx.org/packages/mainline/ubuntu xenial InRelease
Hit:5 http://nyc2.mirrors.digitalocean.com/ubuntu xenial InRelease
Hit:6 http://nyc2.mirrors.digitalocean.com/ubuntu xenial-updates InRelease
Hit:7 http://nyc2.mirrors.digitalocean.com/ubuntu xenial-backports InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package vesta-php
E: Unable to locate package vesta-ioncube
E: Unable to locate package vesta-softaculous
Error: apt-get install failed
Do you think it has to do with this hack or the patch released?
Does anybody know some workaround for this?
Have the same problem on DigitalOcean, Ubuntu.
Re: Got 10 VestaCP servers exploited
how certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?
so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)
Re: Got 10 VestaCP servers exploited
you dont need to believe me. read my previous post: viewtopic.php?f=10&t=16556&start=320#p69046Falzo wrote: ↑Mon Apr 09, 2018 12:37 pmhow certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?
so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)
you will see that i am right when vestacp posts public news about what was happening with their rep.
Re: Got 10 VestaCP servers exploited
DigitalOcean published and advice and blocked the default port
https://www.digitalocean.com/community/ ... l-8th-2018
https://www.digitalocean.com/community/ ... l-8th-2018
Re: Got 10 VestaCP servers exploited
will see about that. I have a server (debian 9) freshly installed with vesta on april 2nd, port 8083 opened, which wasn't hit nor affected at all. I haven't updated yet, feel free to give pointers for what i should look and you think the attacking vector would be.kobo1d wrote: ↑Mon Apr 09, 2018 12:39 pmyou dont need to believe me. read my previous post: viewtopic.php?f=10&t=16556&start=320#p69046Falzo wrote: ↑Mon Apr 09, 2018 12:37 pmhow certain of that are you? while it's true that the default policy is DROP, did you actually CHECK if the change to that rule got reflected by iptables and really blocked access from foreign IPs?
so far you are the only one to be hacked with claiming to have had that port closed/whitelisted. no offense meant, but a single occurance could also point to a flaw in your setup/firewall ;-)
you will see that i am right when vestacp posts public news about what was happening with their rep.
if there is something inside the sources which got spread through the repo it still would need to be activated somehow... may it be by a timer or external call.
with the port blocked/whitelisted an external is unlikely, so you'd bet on internal crons being manipulated or something like that?
as said I am willing to dig deeper, as I have quite some installations of vesta, only two were affected, just give some more input what you think would be worth to look out for.