Page 4 of 55

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:07 pm
by sandy
viewtopic.php?f=10&t=16558&p=68543
some more info about the attack

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:11 pm
by lukapaunovic
This matter needs to be looked into by core of VestaCP team immediately.
it's the matter of time when other providers and server will get hacked.
We need fix ASAP

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:17 pm
by sandy
lukapaunovic wrote:
Sat Apr 07, 2018 8:11 pm
This matter needs to be looked into by core of VestaCP team immediately.
it's the matter of time when other providers and server will get hacked.
We need fix ASAP
some will even suspend the server permanently

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:18 pm
by Prime
While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:20 pm
by sandy
Prime wrote:
Sat Apr 07, 2018 8:18 pm
While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)
or :

Code: Select all

service vesta stop

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:24 pm
by sandy
this time exploit is severe resulting outbound ddos attack. And 99% of hosts doesn't allow it on there network

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:25 pm
by skid
sandy wrote:
Sat Apr 07, 2018 8:20 pm
Prime wrote:
Sat Apr 07, 2018 8:18 pm
While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)
or :

Code: Select all

service vesta stop
This is the best way to stay safe until we find out the reason and release the update. Thanks for positing it.

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:27 pm
by skid
If your server got hacked please send us root access to info@vestacp.com so we can take a look and inspect it. Thanks

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:28 pm
by Prime
sandy wrote:
Sat Apr 07, 2018 8:20 pm
Prime wrote:
Sat Apr 07, 2018 8:18 pm
While this issue is on-going, I highly urge everyone to change ports of your vestaCP-installation. This to ensure to make it harder for break-in attempts as usually the exploits only target certain ports (in this case, default port.)
or :

Code: Select all

service vesta stop
Even better for the moment being:

Code: Select all

systemctl stop vesta && systemctl disable vesta
And when it's fixed:

Code: Select all

systemctl enable vesta && systemctl start vesta
Just in case you need to do a reboot or what not, so the service stays off :)

Re: Got 10 VestaCP servers exploited

Posted: Sat Apr 07, 2018 8:36 pm
by StudioMaX
Just to think: when logging in through the web interface to Vesta, a session file should be created, right? And all of them located in /usr/local/vesta/data/sessions
As I understand the web interface internals, PHP will check that we have "user" variable inside the session (https://github.com/serghey-rodin/vesta/ ... /index.php), otherwise it will redirect to the Login page.
What I mean - I looked through all the session files in notepad, and search them for variable "user", and it exist only in the sessions created by me (my IP address exists in "user_combined_ip" variable). Therefore, this exploit is either not related to the web interface, or it directly calls some public scripts that do not require authorization.