Re: Got 10 VestaCP servers exploited
Posted: Mon Apr 09, 2018 2:14 pm
Community Forum
https://forum.vestacp.com/
My vestas are 3 months oldRevengeFNF wrote: ↑Mon Apr 09, 2018 2:13 pmDid you install VestaCP recently?pipoy wrote: ↑Mon Apr 09, 2018 2:09 pmIsn't by default that when your firewall is enabled, everything is dropped?
And by default, only the accepted ones are in the FIREWALL tab.
If you already changed your admin port, automatically your 8083 is dropped
I really dont think the exploitation is related to 8083. Mine is a different port but I got hacked
We are trying to know if their repo was exploited.
That is very strange. How the hell they exploited your server?
RevengeFNF wrote: ↑Mon Apr 09, 2018 2:29 pmThat is very strange. How the hell they exploited your server?
In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.
I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.RevengeFNF wrote: ↑Mon Apr 09, 2018 2:13 pmDid you install VestaCP recently?
We are trying to know if their repo was exploited.
Code: Select all
Hardening password checks
Auth fix
They'll have discovered an exploit in Vesta code base and just run a port scan across IP blocks (probably start with large VM providers like AWS, DO and OVH) for servers with 8083 open and respond with Vesta headers.pipoy wrote: ↑Mon Apr 09, 2018 2:43 pmRevengeFNF wrote: ↑Mon Apr 09, 2018 2:29 pmThat is very strange. How the hell they exploited your server?
In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.
My question is how did they know we are using vesta?
I never gave away my links here in the forum.
The most common way is to ping port 8083. I don't know any other software that uses that port by default.pipoy wrote: ↑Mon Apr 09, 2018 2:43 pmRevengeFNF wrote: ↑Mon Apr 09, 2018 2:29 pmThat is very strange. How the hell they exploited your server?
In my case, i have three servers with Vesta, none of them was exploited. In the most important one, i did have port 8083 blocked with iptables
Then i have one test server where i installed Vesta last week, and that one was indeed exploited.
My question is how did they know we are using vesta?
I never gave away my links here in the forum.
That doesn't explain how people that did have port 8083 blocked were hacked, because it means there was no access to the Web UI.n0x wrote: ↑Mon Apr 09, 2018 2:43 pmI don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.RevengeFNF wrote: ↑Mon Apr 09, 2018 2:13 pmDid you install VestaCP recently?
We are trying to know if their repo was exploited.
This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:
Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.Code: Select all
Hardening password checks Auth fix
RevengeFNF wrote: ↑Mon Apr 09, 2018 2:50 pmThat doesn't explain how people that did have port 8083 blocked were hacked, because it means there was no access to the Web UI.n0x wrote: ↑Mon Apr 09, 2018 2:43 pmI don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.RevengeFNF wrote: ↑Mon Apr 09, 2018 2:13 pmDid you install VestaCP recently?
We are trying to know if their repo was exploited.
This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:
Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.Code: Select all
Hardening password checks Auth fix