Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

Got 10 VestaCP servers exploited

https://forum.vestacp.com/viewtopic.php?f=10&t=16556

Page 29 of 55

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 1:42 am
by pipoy
Mag37 wrote:
Mon Apr 09, 2018 1:38 am
 I everyone I just want to ask few simple questions :
  • Were any of the VestCP install on HTTPS ?
  • Is it a good idea to change VestaCP port 8083 ? (= stealth mode)
My instalation is and did not get hacked (I have turned it off as I write)
I am on Ubuntu 16.04 - Apache Nginx
the entire install is on https (letsencrypt)
One note with my install is that Roundcube does not function at this time
database connection error... Will fix that later

I have turn off my server at this time. Will upgrade ASAP

Thanks and good Luck guys

PS: my Host emailed me about this issue.

Were any of the VestCP install on HTTPS ? - Yes. All of my sites and vestacp

Is it a good idea to change VestaCP port 8083 ? (= stealth mode) - I had mine on a different port. But still got hacked.. but yes, this is still a good idea

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 1:45 am
by mxroute
Can it be confirmed whether the patch contained generic security fixes that were proposed to potentially be connected or if the patch is designed to directly address the common attack vector used to compromise servers in the last 48 hours?

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 2:19 am
by Devonius
in my case :
all vesta which are not install exim and dovecot are safe
--exim no --dovecot no (while install)

but some of my vesta which install exim and dovecot were infected with gcc.sh

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 2:26 am
by mxroute
Devonius wrote:
Mon Apr 09, 2018 2:19 am
 in my case :
all vesta which are not install exim and dovecot are safe
--exim no --dovecot no (while install)

but some of my vesta which install exim and dovecot were infected with gcc.sh
To add to that, I shut down the panel on two servers hosting hundreds of customers late last night (US/Central, roughly 20h ago) which had every service installed. These had not been compromised.

I highly suspect that the attackers were going through IP ranges and had/have not gotten to every range yet. You and I are fortunate to only have to say "panel is down for now." :)

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 2:35 am
by anthonyrossbach
I run a host that uses vestacp for the API, so I had patched everything but also made a script to change the port from 8083 to 5600 and changed the firewall to add the port.

If you want to use, the command is

Code: Select all

curl http://www.nodehost.ca/scripts/sh/vestacp_changeport.sh > vestacp_changeport.sh && bash vestacp_changeport.sh
You can see the code directly at http://www.nodehost.ca/scripts/sh/vestacp_changeport.sh and it will show what it will do, this is also the code below just incase you want to make it in your own file and run.

Code: Select all

echo "NodeHost Custom VESTACP Script"

echo "JOB: Changing VESTACP port"
string="listen          8083;"
stringnew="listen          5600;"
grep "$stringnew" /usr/local/vesta/nginx/conf/nginx.conf || sed -i "s/$string/$stringnew/g" /usr/local/vesta/nginx/conf/nginx.conf
echo "JOB: Complete"

echo "JOB: Changing VESTACP firewall rule for new port"
v-add-firewall-rule ACCEPT 0.0.0.0/0 5600 TCP
echo "JOB: Complete"

echo "JOB: Restarting VESTACP"
service vesta restart
echo "JOB: Complete"

echo "JOB: Port has been changed to 5600 from 8083"
Hope this helps for anyone wanting to quickly change the port.

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 3:06 am
by mehargags
This is the fastest easiest SSH Command line to change your VestaCP port. I'm changing it here with 8383, you can replace 8383 with any other (uncommon) port number if you want.

Code: Select all

sed -i 's/8083;/8383;/' /usr/local/vesta/nginx/conf/nginx.conf
/usr/local/vesta/bin/v-add-firewall-rule ACCEPT 0.0.0.0/0 8383 TCP gVestaCP

# DROP 8083 in Firewall (if you want to block)

Code: Select all

sed -i -e '/8083/ s/ACCEPT/DROP/' /usr/local/vesta/data/firewall/rules.conf
Double check if it shows DROP for 8083

Code: Select all

nano /usr/local/vesta/data/firewall/rules.conf

Code: Select all

v-update-firewall
systemctl restart vesta
If you are still not able to login at your custom port, stop firewall

Code: Select all

/usr/local/vesta/bin/v-stop-firewall
then restart firewall from within your WebUI

Note: Seasoned admins may want to restrict access to WebUI for only their known IP... so replace ACCEPT 0.0.0.0/0 with your IP

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 3:11 am
by Devonius
mehargags wrote:
Mon Apr 09, 2018 3:06 am
 This is the fastest easiest SSH Command line to change your VestaCP port. I'm changing it here with 8383, you can replace 8383 with any other (uncommon) port number if you want.

Code: Select all

sed -i 's/8083;/8383;/' /usr/local/vesta/nginx/conf/nginx.conf
/usr/local/vesta/bin/v-add-firewall-rule ACCEPT 0.0.0.0/0 8383 TCP gVestaCP

v-update-firewall
systemctl restart vesta
If you are still not able to login at your custom port, stop firewall

Code: Select all

/usr/local/vesta/bin/v-stop-firewall
then restart firewall from within your WebUI
Do these lines close(block) my 8083 port? if not, how to completely close 8083 port?

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 3:20 am
by mehargags
Devonius wrote:
Mon Apr 09, 2018 3:11 am
 Do these lines close(block) my 8083 port? if not, how to completely close 8083 port?
Ok
I updated the post...so read it again.

DROP 8083 in Firewall (if you want to block)

Code: Select all

sed -i -e '/8083/ s/ACCEPT/DROP/' /usr/local/vesta/data/firewall/rules.conf
double check if it shows "DROP" for port 8083

Code: Select all

nano /usr/local/vesta/data/firewall/rules.conf

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 3:26 am
by anthonyrossbach
mehargags wrote:
Mon Apr 09, 2018 3:06 am
 This is the fastest easiest SSH Command line to change your VestaCP port. I'm changing it here with 8383, you can replace 8383 with any other (uncommon) port number if you want.

Code: Select all

sed -i 's/8083;/8383;/' /usr/local/vesta/nginx/conf/nginx.conf
/usr/local/vesta/bin/v-add-firewall-rule ACCEPT 0.0.0.0/0 8383 TCP gVestaCP

# DROP 8083 in Firewall (if you want to block)

Code: Select all

sed -i -e '/8083/ s/ACCEPT/DROP/' /usr/local/vesta/data/firewall/rules.conf
Double check if it shows DROP for 8083
nano /usr/local/vesta/data/firewall/rules.conf

Code: Select all

v-update-firewall
systemctl restart vesta
If you are still not able to login at your custom port, stop firewall

Code: Select all

/usr/local/vesta/bin/v-stop-firewall
then restart firewall from within your WebUI

Note: Seasoned admins may want to restrict access to WebUI for only their known IP... so replace ACCEPT 0.0.0.0/0 with your IP

Awesome! I forgot about using sed to use it in one script

Re: Got 10 VestaCP servers exploited

Posted: Mon Apr 09, 2018 3:42 am
by Nou4r
Same here, my Server was using NGINX plus Apache2.
Hetzner suspended one of my server a week after i installed VESTACP and told me that it could be Vestacp, seing this thread im sure its vestacp.
All times are UTC
Page 29 of 55
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/