Page 42 of 55

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 7:52 am
by MiguelVESTACP
THanks @wildwolf

How to chmood /var/log/httpd
drwx------ 2

Best Regards

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 8:03 am
by MiguelVESTACP
ANd what is the attributes for the
/var/log/httpd/domains/

Best Regards

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 8:47 am
by wildwolf
MiguelVESTACP wrote:
Tue Apr 10, 2018 7:52 am
THanks @wildwolf

How to chmood /var/log/httpd
drwx------ 2

Best Regards

Code: Select all

chmod 0700 /var/log/httpd
PS: don't have any directory under /dev/log/httpd.

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 8:49 am
by kobo1d
mehargags wrote:
Tue Apr 10, 2018 5:38 am
kobo1d wrote:
Mon Apr 09, 2018 6:44 pm
even after you clean the trojan, your system is still infected from what i see.
systemd (process 1) still creates supicious files under /tmp while all other directories are still clean.
but this is speculating now
Can you name the files/dir that you see as suspicious in your /tmp ?
it was many little files with strange content, inside folders starting with "systemd" but it was not coming from the virus.
i checked and double-checked that it has nothing todo with it.
i had the idea because the virus started spreadign via systemd first.
but systemd is clean now.

and i just filled out the poll. only similar thing i could figure from it, is that i had the roundcube on the default /webmail path.
pleas dont tell me its coming from there.... i was so close to disable this crap, but my clients forced me to have their webmail.......

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 9:01 am
by imperio

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 10:10 am
by Harambe
imperio wrote:
Tue Apr 10, 2018 9:01 am
viewtopic.php?f=25&p=69296#p69296
Any chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?

All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 10:56 am
by Falzo
Harambe wrote:
Tue Apr 10, 2018 10:10 am
imperio wrote:
Tue Apr 10, 2018 9:01 am
viewtopic.php?f=25&p=69296#p69296
Any chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?

All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.
+1 , the complete way the exploit happened should be made public so that there is a chance to verify that the actions taken are sufficient and also enable to do more auditing to see if there are similar things which could become a problem in the future.

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 11:05 am
by vesta_mtl
kobo1d wrote:
Mon Apr 09, 2018 3:55 pm
vishne0 wrote:
Mon Apr 09, 2018 3:51 pm
There are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?

The above two questions will sort few things. I will post my report once I will have answers. Also if anyone need any help to clean the server or migration ping me. Cleaning will be free :)
Regards
1) yes
2) no - no password login and no root user - no pam
i am using pubkeys
My servers weren’t affected. But my answers are:
1) No
2) Yes

I used a different SSH port (not the default 22). But the Vesta webGUI was on the default port 8083.

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 11:25 am
by deanhills
Harambe wrote:
Tue Apr 10, 2018 10:10 am
imperio wrote:
Tue Apr 10, 2018 9:01 am
viewtopic.php?f=25&p=69296#p69296
Any chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?

All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.
I'd like to see a proper statement too. What was the outcome of the investigation by the Admin. @skurudo? This doesn't tell me much - on the one hand it says there wasn't a problem, but we know there is/was a problem. What was the problem and is the installation script 100% secure now?

Re: Got 10 VestaCP servers exploited

Posted: Tue Apr 10, 2018 12:06 pm
by kobo1d
imperio wrote:
Tue Apr 10, 2018 9:01 am
viewtopic.php?f=25&p=69296#p69296
+1 i would love to have a full and clear overview of what happend.
i want to understand and learn from it. everybody can do a fail sometimes, it doesnt matter whos fault it was.
but please give us mor infos!

also, when i updated my debian 9 yesterday while you fixed the deb rep -> is there any difference to how it looks today?
i mean if the update succeeded yesterday, do i have all recent files now? or are there again changes in deb rep from yesterday to today?

and is vesta now 100% secure or should we better leave webmail disabled for now (since you asked about in the poll)
and is it better to leave the vesta service stopped for now?