Re: Got 10 VestaCP servers exploited
Posted: Tue Apr 10, 2018 7:52 am
THanks @wildwolf
How to chmood /var/log/httpd
drwx------ 2
Best Regards
How to chmood /var/log/httpd
drwx------ 2
Best Regards
Community Forum
https://forum.vestacp.com/
MiguelVESTACP wrote: ↑Tue Apr 10, 2018 7:52 amTHanks @wildwolf
How to chmood /var/log/httpd
drwx------ 2
Best Regards
Code: Select all
chmod 0700 /var/log/httpd
it was many little files with strange content, inside folders starting with "systemd" but it was not coming from the virus.
Any chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?
+1 , the complete way the exploit happened should be made public so that there is a chance to verify that the actions taken are sufficient and also enable to do more auditing to see if there are similar things which could become a problem in the future.Harambe wrote: ↑Tue Apr 10, 2018 10:10 amAny chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?
All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.
My servers weren’t affected. But my answers are:kobo1d wrote: ↑Mon Apr 09, 2018 3:55 pm1) yesvishne0 wrote: ↑Mon Apr 09, 2018 3:51 pmThere are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?
The above two questions will sort few things. I will post my report once I will have answers. Also if anyone need any help to clean the server or migration ping me. Cleaning will be free :)
Regards
2) no - no password login and no root user - no pam
i am using pubkeys
I'd like to see a proper statement too. What was the outcome of the investigation by the Admin. @skurudo? This doesn't tell me much - on the one hand it says there wasn't a problem, but we know there is/was a problem. What was the problem and is the installation script 100% secure now?Harambe wrote: ↑Tue Apr 10, 2018 10:10 amAny chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?
All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.
+1 i would love to have a full and clear overview of what happend.