Vesta Control Panel - Forum

isac wrote: ↑

Mon Apr 09, 2018 1:56 pm

We need Debian 9 update, trying to update from 0.9.8 but without luck

RevengeFNF wrote: ↑

Mon Apr 09, 2018 2:13 pm

pipoy wrote: ↑

Mon Apr 09, 2018 2:09 pm

Isn't by default that when your firewall is enabled, everything is dropped?

And by default, only the accepted ones are in the FIREWALL tab.

If you already changed your admin port, automatically your 8083 is dropped

I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked

Did you install VestaCP recently?
We are trying to know if their repo was exploited.

pipoy wrote: ↑

Mon Apr 09, 2018 2:27 pm

My vestas are 3 months old

RevengeFNF wrote: ↑

Mon Apr 09, 2018 2:29 pm

pipoy wrote: ↑

Mon Apr 09, 2018 2:27 pm

My vestas are 3 months old

That is very strange. How the hell they exploited your server?

In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.

RevengeFNF wrote: ↑

Mon Apr 09, 2018 2:13 pm

Did you install VestaCP recently?
We are trying to know if their repo was exploited.

Hardening password checks
Auth fix

pipoy wrote: ↑

Mon Apr 09, 2018 2:43 pm

RevengeFNF wrote: ↑

Mon Apr 09, 2018 2:29 pm

pipoy wrote: ↑

Mon Apr 09, 2018 2:27 pm

My vestas are 3 months old

That is very strange. How the hell they exploited your server?

In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.

My question is how did they know we are using vesta?

I never gave away my links here in the forum.

pipoy wrote: ↑

Mon Apr 09, 2018 2:43 pm

RevengeFNF wrote: ↑

Mon Apr 09, 2018 2:29 pm

pipoy wrote: ↑

Mon Apr 09, 2018 2:27 pm

My vestas are 3 months old

That is very strange. How the hell they exploited your server?

In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.

My question is how did they know we are using vesta?

I never gave away my links here in the forum.

n0x wrote: ↑

Mon Apr 09, 2018 2:43 pm

RevengeFNF wrote: ↑

Mon Apr 09, 2018 2:13 pm

Did you install VestaCP recently?
We are trying to know if their repo was exploited.

I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.

This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:

Code: Select all

Hardening password checks
Auth fix

Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.

RevengeFNF wrote: ↑

Mon Apr 09, 2018 2:50 pm

n0x wrote: ↑

Mon Apr 09, 2018 2:43 pm

RevengeFNF wrote: ↑

Mon Apr 09, 2018 2:13 pm

Did you install VestaCP recently?
We are trying to know if their repo was exploited.

I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.

This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:

Code: Select all

Hardening password checks
Auth fix

Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.

That doesn't explain how people that did have port 8083 blocked were hacked, because it means there was no access to the Web UI.