We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
My vestas are 3 months oldRevengeFNF wrote: ↑Mon Apr 09, 2018 2:13 pmDid you install VestaCP recently?pipoy wrote: ↑Mon Apr 09, 2018 2:09 pmIsn't by default that when your firewall is enabled, everything is dropped?
And by default, only the accepted ones are in the FIREWALL tab.
If you already changed your admin port, automatically your 8083 is dropped
I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked
We are trying to know if their repo was exploited.
-
- Posts: 92
- Joined: Sat Aug 02, 2014 6:50 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
That is very strange. How the hell they exploited your server?
In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.
Re: Got 10 VestaCP servers exploited
RevengeFNF wrote: ↑Mon Apr 09, 2018 2:29 pmThat is very strange. How the hell they exploited your server?
In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.
My question is how did they know we are using vesta?
I never gave away my links here in the forum.
Re: Got 10 VestaCP servers exploited
I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.RevengeFNF wrote: ↑Mon Apr 09, 2018 2:13 pmDid you install VestaCP recently?
We are trying to know if their repo was exploited.
This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:
Code: Select all
Hardening password checks
Auth fix
Re: Got 10 VestaCP servers exploited
They'll have discovered an exploit in Vesta code base and just run a port scan across IP blocks (probably start with large VM providers like AWS, DO and OVH) for servers with 8083 open and respond with Vesta headers.pipoy wrote: ↑Mon Apr 09, 2018 2:43 pmRevengeFNF wrote: ↑Mon Apr 09, 2018 2:29 pmThat is very strange. How the hell they exploited your server?
In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.
My question is how did they know we are using vesta?
I never gave away my links here in the forum.
-
- Posts: 92
- Joined: Sat Aug 02, 2014 6:50 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
The most common way is to ping port 8083. I don't know any other software that uses that port by default.pipoy wrote: ↑Mon Apr 09, 2018 2:43 pmRevengeFNF wrote: ↑Mon Apr 09, 2018 2:29 pmThat is very strange. How the hell they exploited your server?
In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.
My question is how did they know we are using vesta?
I never gave away my links here in the forum.
If they are exploiting servers even with that port blocked, the only way iam currently imagining, is for the Vesta Repo to have been also compromised.
Their repo is also using VestaCP.
-
- Posts: 92
- Joined: Sat Aug 02, 2014 6:50 pm
- Os: CentOS 6x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
That doesn't explain how people that did have port 8083 blocked were hacked, because it means there was no access to the Web UI.n0x wrote: ↑Mon Apr 09, 2018 2:43 pmI don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.RevengeFNF wrote: ↑Mon Apr 09, 2018 2:13 pmDid you install VestaCP recently?
We are trying to know if their repo was exploited.
This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:
Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.Code: Select all
Hardening password checks Auth fix
Re: Got 10 VestaCP servers exploited
RevengeFNF wrote: ↑Mon Apr 09, 2018 2:50 pmThat doesn't explain how people that did have port 8083 blocked were hacked, because it means there was no access to the Web UI.n0x wrote: ↑Mon Apr 09, 2018 2:43 pmI don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.RevengeFNF wrote: ↑Mon Apr 09, 2018 2:13 pmDid you install VestaCP recently?
We are trying to know if their repo was exploited.
This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:
Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.Code: Select all
Hardening password checks Auth fix
True. I had a different port in 1 of my server and still got hacked.
Re: Got 10 VestaCP servers exploited
Am a web developer, I manage a number of Vesta for my clients, I offer hosting for each site I dev, if they what there own vps with a panel and if they don't wanting to pay for e.g Cpanel/plesk they get Vesta.
I manage about 20 Vesta based vps on one of the dedi server I run client vp's on, the dedi server got a /27 ip range, over the month and years I've tweak the Vesta installs with edit I do after installs.
One of the edits I've done is get rid of the default installed Roundcube and Phpadmins and move them to there own vhost under a normal user.
Out of the 20 vesta install 12 of them got hacked all had roundcube pre-install under /webmail, the 8 that did not get hacked had Roundcube running as subdomain vhost of a normal user.
All run Vesta panel on stock port the other diffrent the hacked ones had Roundcube pre-installed on /webmail.
Edit, I know the issue was found out to be a issue with login of the Admin panel, But I thinks its a multi-vector issues.
I manage about 20 Vesta based vps on one of the dedi server I run client vp's on, the dedi server got a /27 ip range, over the month and years I've tweak the Vesta installs with edit I do after installs.
One of the edits I've done is get rid of the default installed Roundcube and Phpadmins and move them to there own vhost under a normal user.
Out of the 20 vesta install 12 of them got hacked all had roundcube pre-install under /webmail, the 8 that did not get hacked had Roundcube running as subdomain vhost of a normal user.
All run Vesta panel on stock port the other diffrent the hacked ones had Roundcube pre-installed on /webmail.
Edit, I know the issue was found out to be a issue with login of the Admin panel, But I thinks its a multi-vector issues.