Page 19 of 55

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 2:29 pm
by crackerizer
@StudioMaX, could you delete the quote?
I have rebooted my VPS to rescue mode for inspection.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 2:30 pm
by ivcha92
lukapaunovic wrote:
Sun Apr 08, 2018 2:13 pm
@dpeca brother found out this

https://github.com/serghey-rodin/vesta/ ... ex.php#L71

Unescaped
I don't think issue is there since it cannot be executed if session is not validated. I am more concerned with password field escaping since it will be executed on each login attempt so there is no need to have valid password or hash to execute it

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 2:31 pm
by imperio
I think we found a vulnerability. Fix will be today

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 2:36 pm
by ivcha92
imperio wrote:
Sun Apr 08, 2018 2:31 pm
I think we found a vulnerability. Fix will be today
Can we get more info, a hint to what module issue is related ? Can we be sure that is absolutely not related to RoundCube since I have servers on VestaCp which are sill operational. Vesta service is of course disabled.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 2:38 pm
by crackerizer
I'm glad to hear. Can't wait to see the commit.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 2:39 pm
by jodumont
Just to remove some water on the fire
This same hack append to me almost a year ago
on a server where I use ISPConfig.

With a Terabytes connection the ISP (exoscale) charge me 2000$ for a almost 48h of DDOS
they never showed me the log ;)

So All that to say it's not specific to VestaCP

If I may, make a recommendation; I personally block the port 8083 and only use the VestaCP via a ssh redirection
something like

ssh user@server -L8083:localhost:8083

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 2:43 pm
by ivcha92
jodumont wrote:
Sun Apr 08, 2018 2:39 pm
Just to remove some water on the fire
This same hack append to me almost a year ago
on a server where I use ISPConfig.

With a Terabytes connection the ISP (exoscale) charge me 2000$ for a almost 48h of DDOS
they never showed me the log ;)

So All that to say it's not specific to VestaCP

If I may, make a recommendation; I personally block the port 8083 and only use the VestaCP via a ssh redirection
something like

ssh user@server -L8083:localhost:8083
I may be also good idea to set up VPN and allow vesta connection only via VPN

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 2:59 pm
by Prime
I think the main issue here is the fact that the API runs as root... that is a major security hole alone.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 3:02 pm
by vesta92
I'm not a server expert but my two customers VPS is Down who running Vestacp.
Please help me anyone, I need help badly.

Re: Got 10 VestaCP servers exploited

Posted: Sun Apr 08, 2018 3:02 pm
by jodumont
ivcha92 wrote:
Sun Apr 08, 2018 2:43 pm

I may be also good idea to set up VPN and allow vesta connection only via VPN
this is true
but you could also make a bastion than only authorize it
use TINC or only authorize the port 8083 through TOR
authorise only your VPN provider or pay for a static IP at home and authorise only this one
and so on ...

I was mentioning the SSH solution because it take 2sec to put in place and don't add any charge/service/process on the server.