Page 4 of 55
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 8:07 pm
by sandy
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 8:11 pm
by lukapaunovic
This matter needs to be looked into by core of VestaCP team immediately.
it's the matter of time when other providers and server will get hacked.
We need fix ASAP
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 8:17 pm
by sandy
lukapaunovic wrote: ↑Sat Apr 07, 2018 8:11 pm
This matter needs to be looked into by core of VestaCP team immediately.
it's the matter of time when other providers and server will get hacked.
We need fix ASAP
some will even suspend the server permanently
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 8:18 pm
by Prime
While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 8:20 pm
by sandy
Prime wrote: ↑Sat Apr 07, 2018 8:18 pm
While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)
or :
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 8:24 pm
by sandy
this time exploit is severe resulting outbound ddos attack. And 99% of hosts doesn't allow it on there network
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 8:25 pm
by skid
sandy wrote: ↑Sat Apr 07, 2018 8:20 pm
Prime wrote: ↑Sat Apr 07, 2018 8:18 pm
While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)
or :
This is the best way to stay safe until we find out the reason and release the update. Thanks for positing it.
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 8:27 pm
by skid
If your server got hacked please send us root access to
[email protected] so we can take a look and inspect it. Thanks
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 8:28 pm
by Prime
sandy wrote: ↑Sat Apr 07, 2018 8:20 pm
Prime wrote: ↑Sat Apr 07, 2018 8:18 pm
While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)
or :
Even better for the moment being:
Code: Select all
systemctl stop vesta && systemctl disable vesta
And when it's fixed:
Code: Select all
systemctl enable vesta && systemctl start vesta
Just in case you need to do a reboot or what not, so the service stays off :)
Re: Got 10 VestaCP servers exploited
Posted: Sat Apr 07, 2018 8:36 pm
by StudioMaX
Just to think: when logging in through the web interface to Vesta, a session file should be created, right? And all of them located in /usr/local/vesta/data/sessions
As I understand the web interface internals, PHP will check that we have "user" variable inside the session (
https://github.com/serghey-rodin/vesta/ ... /index.php), otherwise it will redirect to the Login page.
What I mean - I looked through all the session files in notepad, and search them for variable "user", and it exist only in the sessions created by me (my IP address exists in "user_combined_ip" variable). Therefore, this exploit is either not related to the web interface, or it directly calls some public scripts that do not require authorization.