Community Forum
https://forum.vestacp.com/
Hi Guys, i can confirm that this NOT started on April 4, i own 5 servers running vesta: 4 in production and 1 for testing.skid wrote: ↑Sun Apr 08, 2018 7:05 amHere is what we know so far:
1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it's platform independent
4. We didn't find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.
What you can do:
The best way to stay safe is to temporary disable vesta web serviceCode: Select all
service vesta stopor limit access to port 8083 using firewallCode: Select all
systemctl disable vesta
What we are doing:
Few users provided us with root access to their servers. We are investigating what happened. We also launched a couple honeypots in order to get full picture of the hack.
I've meant running your own VPN server on the same server where VestaCP is installed. I've already set it up on one server using this script https://github.com/hwdsl2/setup-ipsec-vpnjodumont wrote: ↑Sun Apr 08, 2018 3:02 pmthis is true
but you could also make a bastion than only authorize it
use TINC or only authorize the port 8083 through TOR
authorise only your VPN provider or pay for a static IP at home and authorise only this one
and so on ...
I was mentioning the SSH solution because it take 2sec to put in place and don't add any charge/service/process on the server.
Code: Select all
VM Name: DC3 Attack Type: TCP SYN Flood,IP Spoofing Action: VM Disconnected Source IP: 80.211.209.201, 80.211.209.200, 80.211.209.203, 80.211.209.202, 80.211.209.205, 80.211.209.204, 80.211.209.207, 80.211.209.206, 80.211.209.209, 80.211.209.208, 80.211.209.191, 80.211.209.190, 80.211.209.193, 80.211.209.192, 80.211.209.195, 80.211.209.194, 80.211.209.197, 80.211.209.196, 80.211.209.37, 80.211.209.198, 80.211.209.35, 80.211.209.34, 80.211.209.33, 80.211.209.32, 80.211.209.31, 80.211.209.30, 80.211.209.108, 80.211.209.109, 80.211.209.102, 80.211.209.103, 80.211.209.100, 80.211.209.101, 80.211.209.106, 80.211.209.107, 80.211.209.104, 80.211.209.105, 80.211.209.28, 80.211.209.29, 80.211.209.23, 80.211.209.24, 80.211.209.25, 80.211.209.26, 80.211.209.27, 80.211.209.119, 80.211.209.118, 80.211.209.111, 80.211.209.110, 80.211.209.113, 80.211.209.112, 80.211.209.115, 80.211.209.114, 80.211.209.117, 80.211.209.116, 80.211.209.39, 80.211.209.38, 80.211.209.88, 80.211.209.199, 80.211.209.211, 80.211.209.36, 80.211.209.59, 80.211.209.58, 80.211.209.55, 80.211.209.54, 80.211.209.57, 80.211.209.56, 80.211.209.51, 80.211.209.50, 80.211.209.53, 80.211.209.52, 80.211.209.124, 80.211.209.125, 80.211.209.126, 80.211.209.127, 80.211.209.120, 80.211.209.121, 80.211.209.122, 80.211.209.123, 80.211.209.128, 80.211.209.129, 80.211.209.146, 80.211.209.147, 80.211.209.144, 80.211.209.145, 80.211.209.142, 80.211.209.143, 80.211.209.140, 80.211.209.141, 80.211.209.148, 80.211.209.149, 80.211.209.48, 80.211.209.49, 80.211.209.46, 80.211.209.47, 80.211.209.44, 80.211.209.45, 80.211.209.42, 80.211.209.43, 80.211.209.40, 80.211.209.41, 80.211.209.133, 80.211.209.132, 80.211.209.131, 80.211.209.130, 80.211.209.137, 80.211.209.136, 80.211.209.135, 80.211.209.134, 80.211.209.139, 80.211.209.138, 80.211.209.155, 80.211.209.154, 80.211.209.157, 80.211.209.156, 80.211.209.151, 80.211.209.150, 80.211.209.153, 80.211.209.152, 80.211.209.159, 80.211.209.158, 80.211.209.79, 80.211.209.78, 80.211.209.73, 80.211.209.72, 80.211.209.71, 80.211.209.70, 80.211.209.77, 80.211.209.76, 80.211.209.75, 80.211.209.74, 80.211.209.160, 80.211.209.161, 80.211.209.162, 80.211.209.163, 80.211.209.164, 80.211.209.165, 80.211.209.166, 80.211.209.167, 80.211.209.168, 80.211.209.169, 80.211.209.64, 80.211.209.65, 80.211.209.66, 80.211.209.67, 80.211.209.60, 80.211.209.61, 80.211.209.62, 80.211.209.63, 80.211.209.68, 80.211.209.69, 80.211.209.99, 80.211.209.98, 80.211.209.91, 80.211.209.90, 80.211.209.93, 80.211.209.92, 80.211.209.95, 80.211.209.94, 80.211.209.97, 80.211.209.96, 80.211.209.212, 80.211.209.213, 80.211.209.210, 80.211.209.89, 80.211.209.82, 80.211.209.83, 80.211.209.80, 80.211.209.81, 80.211.209.86, 80.211.209.87, 80.211.209.84, 80.211.209.85, 80.211.209.182, 80.211.209.183, 80.211.209.180, 80.211.209.181, 80.211.209.186, 80.211.209.187, 80.211.209.184, 80.211.209.185, 80.211.209.188, 80.211.209.189, 80.211.209.179, 80.211.209.178, 80.211.209.177, 80.211.209.176, 80.211.209.175, 80.211.209.174, 80.211.209.173, 80.211.209.172, 80.211.209.171, 80.211.209.170 Destination IP: 222.187.238.14Why would I post here if I don't use it? I've got VestaCP running on one of my not-so-important servers for the past few years, but due to this problem I am likely migrating over all content and sites to Plesk. I don't feel confident having public or private API's for that matter running with root permissions.
Code: Select all
Our engineering team continues to work to resolve the networking issue impacting our NYC regions. We believe a previously undisclosed vulnerability in software by some customers on their Droplets is allowing for denial of service (DoS) attacks against targets outside of DigitalOcean. Our Trust & Safety team is also engaged to resolve this incident; in an effort to protect unaffected Droplets, we will block inbound traffic to TCP/8083.
We will continue to post updates here as more information becomes available, and we will provide additional guidance for customers to determine whether their Droplets are impacted, and how to work around the block to continue to safely access their software.
As a matter of fact, I am doing this right now.Prime wrote: ↑Sun Apr 08, 2018 3:31 pmWhy would I post here if I don't use it? I've got VestaCP running on one of my not-so-important servers for the past few years, but due to this problem I am likely migrating over all content and sites to Plesk. I don't feel confident having public or private API's for that matter running with root permissions.