Vesta Control Panel - Forum

Community Forum
https://forum.vestacp.com/

Got 10 VestaCP servers exploited

https://forum.vestacp.com/viewtopic.php?f=10&t=16556

Page 41 of 55

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 12:52 am
by deanhills
I'd like to thank the Admin for their hard work. Couldn't have been easy the last three days. I've every confidence they'll sort this out as most of the Admin have been around for many years and care about their script.

I've seen lots of discussion about the possibility of the script having been infected - is there proof that it has been infected and has this now been sorted out? Also are the Admin completely confident that the updated installation script is clean and we can use it for new servers? In your opinion what part of the installation script would be the focus of hackers? For example, I don't use the e-mail and FTP systems of VestaCP as I find that e-mails in particular are targeted by hackers. I wonder whether that could be the reason my VPSs have not been hacked?

Secondly, someone suggested that the hackers targeted IP ranges. Were those specific location ranges and what were those locations?

Finally I'm a bit puzzled about the updates. I thought that we're all on automatic updates by default? All of my VestaCP Panels have always been on automatic updates. I'm just asking as I see plenty of posts about getting patches and updates, and as far as I could see from my VestaCP Panels they were all automatically updated on 8th of April. If they have been automatically updated is there still a need for a patch?

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 1:12 am
by fxtoofaan
After update to 0.9.8-20 now I am not able to login to my vestacp admin page. My websites seem to be still online. Did the update change the management port or something? not sure why I cannot login now. Any help ?

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 1:14 am
by huloza
fxtoofaan wrote:
Tue Apr 10, 2018 1:12 am
 After update to 0.9.8-20 now I am not able to login to my vestacp admin page. My websites seem to be still online. Did the update change the management port or something? not sure why I cannot login now. Any help ?
Restart vesta from cli
service vesta restart

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 1:33 am
by fxtoofaan
[/quote]
Restart vesta from cli
service vesta restart
[/quote]

that worked, thank you.

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 5:11 am
by nextgi
Hi Everyone,

We have put together a survey to help us better understand the general configuration in relation to some of the working theories. If you have suggestions to broaden the survey, please let us know.

https://goo.gl/forms/qXtzd6nZFrKNw7DN2

We greatly appreciate any input.

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 5:19 am
by pipoy
nextgi wrote:
Tue Apr 10, 2018 5:11 am
 Hi Everyone,

We have put together a survey to help us better understand the general configuration in relation to some of the working theories. If you have suggestions to broaden the survey, please let us know.

https://goo.gl/forms/qXtzd6nZFrKNw7DN2

We greatly appreciate any input.
It's private

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 5:22 am
by nextgi
pipoy wrote:
Tue Apr 10, 2018 5:19 am
nextgi wrote:
Tue Apr 10, 2018 5:11 am
 Hi Everyone,

We have put together a survey to help us better understand the general configuration in relation to some of the working theories. If you have suggestions to broaden the survey, please let us know.

https://goo.gl/forms/qXtzd6nZFrKNw7DN2

We greatly appreciate any input.
It's private
Haha, thanks. It should be open now.

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 5:38 am
by mehargags
kobo1d wrote:
Mon Apr 09, 2018 6:44 pm
 even after you clean the trojan, your system is still infected from what i see.
systemd (process 1) still creates supicious files under /tmp while all other directories are still clean.
but this is speculating now
Can you name the files/dir that you see as suspicious in your /tmp ?

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 7:20 am
by MiguelVESTACP
I dont know if my server is hacked but now i have this problem at least 3 days

Failed to create subdirectories: /var/log/httpd/20180410/20180410-0243

Can someone tell me what is attributes for the folders in centos ?
"var/log/httpd"
"var/log"

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 7:29 am
by wildwolf
MiguelVESTACP wrote:
Tue Apr 10, 2018 7:20 am
 I dont know if my server is hacked but now i have this problem at least 3 days

Failed to create subdirectories: /var/log/httpd/20180410/20180410-0243

Can someone tell me what is attributes for the folders in centos ?
"var/log/httpd"
"var/log"

Code: Select all

# ls -lhad /var/log
drwxr-xr-x. 18 root root 4.0K кві  9 03:20 /var/log
# ls -lhad /var/log/httpd
drwx------ 2 root root 4.0K гру 15  2014 /var/log/httpd
All times are UTC
Page 41 of 55
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/