We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
whitewind2 wrote: ↑Wed Apr 11, 2018 1:47 pmI reinstalled on Sunday. New OS Installed Patch.
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?
Before u rebuild server check which version of vestacp are u using.
as I see you are probably on ubuntu?
-
- Posts: 3
- Joined: Wed Apr 11, 2018 1:44 pm
- Os: Ubuntu 15x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
It's on Digital Ocean, and I only have limited console access to it, is there a command line way to check or a file? Yes it's on a newly installed Ubuntu 16.04.4 OSlukapaunovic wrote: ↑Wed Apr 11, 2018 1:48 pmwhitewind2 wrote: ↑Wed Apr 11, 2018 1:47 pmI reinstalled on Sunday. New OS Installed Patch.
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?
Before u rebuild server check which version of vestacp are u using.
as I see you are probably on ubuntu?
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
whitewind2 wrote: ↑Wed Apr 11, 2018 2:06 pmIt's on Digital Ocean, and I only have limited console access to it, is there a command line way to check or a file? Yes it's on a newly installed Ubuntu 16.04.4 OSlukapaunovic wrote: ↑Wed Apr 11, 2018 1:48 pmwhitewind2 wrote: ↑Wed Apr 11, 2018 1:47 pmI reinstalled on Sunday. New OS Installed Patch.
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?
Before u rebuild server check which version of vestacp are u using.
as I see you are probably on ubuntu?
Yes try this
Code: Select all
cat /usr/local/vesta/src/deb/vesta/control | grep Version
-
- Posts: 3
- Joined: Wed Apr 11, 2018 1:44 pm
- Os: Ubuntu 15x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
Release 19 Version 0.9.8 but I did do the update after the install and I thought the Console when I had it showed release 20...lukapaunovic wrote: ↑Wed Apr 11, 2018 2:13 pmwhitewind2 wrote: ↑Wed Apr 11, 2018 2:06 pmIt's on Digital Ocean, and I only have limited console access to it, is there a command line way to check or a file? Yes it's on a newly installed Ubuntu 16.04.4 OSlukapaunovic wrote: ↑Wed Apr 11, 2018 1:48 pm
Before u rebuild server check which version of vestacp are u using.
as I see you are probably on ubuntu?
Yes try this
Code: Select all
cat /usr/local/vesta/src/deb/vesta/control | grep Version
Not sure if it helps put update in /tmp is Apr 5 13:05 which is before server build
Also a file called e.mysql in /tmp 0 bytes is time stamped around the time of the network traffic.
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
So when you ranwhitewind2 wrote: ↑Wed Apr 11, 2018 2:26 pmRelease 19 Version 0.9.8 but I did do the update after the install and I thought the Console when I had it showed release 20...lukapaunovic wrote: ↑Wed Apr 11, 2018 2:13 pmwhitewind2 wrote: ↑Wed Apr 11, 2018 2:06 pm
It's on Digital Ocean, and I only have limited console access to it, is there a command line way to check or a file? Yes it's on a newly installed Ubuntu 16.04.4 OS
Yes try this
Code: Select all
cat /usr/local/vesta/src/deb/vesta/control | grep Version
Not sure if it helps put update in /tmp is Apr 5 13:05 which is before server build
Also a file called e.mysql in /tmp 0 bytes is time stamped around the time of the network traffic.
Code: Select all
cat /usr/local/vesta/src/deb/vesta/control | grep Version
Code: Select all
Version: 0.9.8-19
that means you were running vuln version.
You can update from github after you install again
For ubuntu: apt install git -y
for centos: yum install git -y
I would recommend you to use CentOS instead of ubuntu because it's much more stable and better with vestacp
Code: Select all
cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
yes | /usr/bin/cp -rf vesta/* /usr/local/vesta
-
- Posts: 33
- Joined: Sat Jan 20, 2018 3:45 am
- Os: Debian 8x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
whitewind2 wrote: ↑Wed Apr 11, 2018 1:47 pmI reinstalled on Sunday. New OS Installed Patch.
Was Hacked last night.
Going to rebuild server again, is there anything I you need before I delete it.
Is it not fixed or did I miss something?
If you on digitalocean follow steps in this post, ubuntu have similar command line with debian.
viewtopic.php?f=10&t=16556&start=460#p69440
Re: Got 10 VestaCP servers exploited
Until now here is what I found as "strange" queries on 8083 port:
Code: Select all
46.161.55.106 - - [09/Apr/2018:10:03:33 +0200] "GET /_asterisk/ HTTP/1.1" 404 658 "-" "python-requests/2.18.4"
118.139.177.119 - - [10/Apr/2018:09:54:58 +0200] "GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
193.70.85.110 - - [10/Apr/2018:18:53:03 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
192.169.226.71 - - [10/Apr/2018:22:03:17 +0200] GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
5.39.223.84 - - [11/Apr/2018:08:11:45 +0000] "\x03\x00\x00*%\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Test" 400 166 "-" "-"
5.39.223.84 - - [11/Apr/2018:08:11:45 +0000] "\x03\x00\x00*%\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Test" 400 166 "-" "-"
198.27.126.93 - - [10/Apr/2018:16:02:55 +0200] HEAD /manager/html HTTP/1.0 "302" 0 "-" "-" "-"
62.212.73.238 - - [11/Apr/2018:11:19:54 +0200] GET /recordings//theme/main.css HTTP/1.1 "302" 154 "-" "curl/7.29.0" "-"
62.212.73.238 - - [11/Apr/2018:11:19:56 +0200] GET /recordings//theme/main.css HTTP/1.1 "404" 1254 "-" "curl/7.29.0" "-"
Re: Got 10 VestaCP servers exploited
Code: Select all
"GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1" 400 166 "-" "-"
GET /w00tw00t.at.ISC.SANS.DFind:) HTTP/1.1 "400" 166 "-" "-" "-"
GET /w00tw00t.at.ISC.SANS.DFind:)
Re: Got 10 VestaCP servers exploited
Thank you of thinking of those who aren't experienced systems admin. I'm particularly grateful for your tips about CSF. We've got this installed on WHM and it is definitely worth installing.vishne0 wrote: ↑Wed Apr 11, 2018 8:36 amHello All,
Watching the thread since Saturday and also had 1 server infected out of 15. After working hard since Sunday I am now ready to explain few things to everyone here and share my experience which might help people facing issues. Just for the people who are not technical enough and running the server which is infected and need someone to help please let me know and I will help. There will be no charges for fixing the server.
Every piece of software out there have some vulnerabilities like Microsoft , Facebook ,Cpanel, Plesk all so no need to blame vestacp.
I am now running a new server with latest vestacp since last 24 hours and no infection yet nor any alarm for the same.
Here are the steps to make sure you are secure
1) If the server is infected move to a new server, you just cant trust the old one.
2) Once the new server is installed and up running change the vestacp port to anything you want in the file /usr/local/vesta/nginx/conf/nginx.conf search for 8083 and change it. Make sure you open the new port in your firewall.
3) Run SSH on different port and if possible use keys. Disable root logins as well
5) Download Linux Environment Security https://www.rfxn.com/projects/linux-env ... -security/ and run it
6) Download Linux malware detect http://www.rfxn.com/downloads/maldetect-current.tar.gz and once installed run maldet -a / and see the report after that run it in monitor mode maldet --monitor / (make sure you make changes in /usr/local/maldet.conf and enter your email id to see the reports in your email)
7) This is the most important thing - Install config server firewall from https://configserver.com/cp/csf.html. This is the most important script for securing the server. On one of my server csf was installed and it didnt get infected cause csf marked it a suspicious file and disabled all the binaries and sent an alert to me. Read the conf file carefully and enable the rules as needed most importantly enable DIR watch and FILE watch. If need help please do let me know I will provide my csf conf file.
8) Block CN (China) in firewall if you do not have customers from that country.
9) To track outgoing traffic install ntopng the best traffic monitoring app.
Cause of above I didnt see any infection however seeing lots of blocked IPs :)
Hope this will help you all !!
This thread is worth its gold in all of the security recommendations - one can write a huge tutorial with it. I'm still worried though as I'm not confident that the source of the security breach has been clearly identified yet. So I'm going to wait a while before I install anything. Then refer back to this thread.
Re: Got 10 VestaCP servers exploited
i wrote down most important things from this thread about all different security things,Thank you of thinking of those who aren't experienced systems admin. I'm particularly grateful for your tips about CSF. We've got this installed on WHM and it is definitely worth installing.
This thread is worth its gold in all of the security recommendations - one can write a huge tutorial with it. I'm still worried though as I'm not confident that the source of the security breach has been clearly identified yet. So I'm going to wait a while before I install anything. Then refer back to this thread.
including stuff i had installed and configured which were not mentioned here yet.
i can try to make it a well to read compilation if anyones intrested.
right now its only some words and links :)