We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Two servers are hacked today via Vestacp
Re: Two servers are hacked today via Vestacp
baoang wrote: ↑Mon Apr 09, 2018 4:46 amSee the top alert? The team has released a security fix, build 20.really wrote: ↑Mon Apr 09, 2018 4:39 amThis happened on Debian 8.1 as well, so I doubt it's OS dependent.
I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.
In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.
That top alert is about as useful as soggy bread :) it doesn't link to anything, and the repos are still not populated.
Re: Two servers are hacked today via Vestacp
I stopped it on my other VPSes but they were not part of the IP blocks that were targeted. Got lucky there.sandy wrote: ↑Mon Apr 09, 2018 4:55 amafter installation stop vesta service or change the port to elsereally wrote: ↑Mon Apr 09, 2018 4:39 amThis happened on Debian 8.1 as well, so I doubt it's OS dependent.
I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.
In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.
Re: Two servers are hacked today via Vestacp
I though it, the alert at the top bar is just a reminder that VPSers can update to the latest build. I just logged in onto the panel and did an update, but after the update was complete in a blink, I suspended my domain and well, just wait, and see if this exploit issue will have some other consequences. Guess this attack could last for a while.really wrote: ↑Mon Apr 09, 2018 5:48 ambaoang wrote: ↑Mon Apr 09, 2018 4:46 amSee the top alert? The team has released a security fix, build 20.really wrote: ↑Mon Apr 09, 2018 4:39 amThis happened on Debian 8.1 as well, so I doubt it's OS dependent.
I had to put iptables in DROP mode and only allow traffic to my specific IP. I also dropped conntrack's max connections to avoid getting suspended and backed up my shit.
In the meantime I was trying to reinstall the server so I can get on with my life but it seems vesta's developer removed vesta packages from repo because the installer doesn't work anymore. Probably a smart move, since all Vesta server are vulnerable right now.
That top alert is about as useful as soggy bread :) it doesn't link to anything, and the repos are still not populated.
The fortunate, I'd say, is that I have another backup VPS and when I found my machine not working properly, I dont know if it is related, I set up that backup and have my job not fully interrupted.
And how about you? Is that severe?
Re: Two servers are hacked today via Vestacp
The topic is a duplicate of
viewtopic.php?f=10&t=16556
Please update or at least restrict access to VestaCP panel using vesta nginx config file. Changing default port is not a good solution.
viewtopic.php?f=10&t=16556
Please update or at least restrict access to VestaCP panel using vesta nginx config file. Changing default port is not a good solution.
Re: Two servers are hacked today via Vestacp
i got hacked on debian 9 with blocked port 8083 -> only available to my ip via iptables (tested and working)
only fix until u can use the vestacp updater again is to stop the vesta service!
only fix until u can use the vestacp updater again is to stop the vesta service!
Re: Two servers are hacked today via Vestacp
The VPS that got hacked was not running anything critical so I just let it be. What I did do however is limit # of connections, and all traffic via iptables and it was fine. I backed up my stuff, and wiped my VPS.baoang wrote: ↑Mon Apr 09, 2018 6:36 amI though it, the alert at the top bar is just a reminder that VPSers can update to the latest build. I just logged in onto the panel and did an update, but after the update was complete in a blink, I suspended my domain and well, just wait, and see if this exploit issue will have some other consequences. Guess this attack could last for a while.
The fortunate, I'd say, is that I have another backup VPS and when I found my machine not working properly, I dont know if it is related, I set up that backup and have my job not fully interrupted.
And how about you? Is that severe?
The main issue however is that the vesta-* packages are not available in the repo anymore, that's why I'm saying that I cannot reinstall at all.
But you have the right idea for sure, multiple instances serving the same thing, maybe even a haproxy setup if you wanted to get fancy ;)
Re: Two servers are hacked today via Vestacp
would you be so kind to explain how to do this under Ubuntu please?Messiah wrote: ↑Mon Apr 09, 2018 8:25 amThe topic is a duplicate of
viewtopic.php?f=10&t=16556
Please update or at least restrict access to VestaCP panel using vesta nginx config file. Changing default port is not a good solution.
Re: Two servers are hacked today via Vestacp
The fastest way to protect yourself is to stop VestaCP service:
or
Restrict access:
edit
Find
You may try to change it no different port, not forget to add it to firewall exceptions before doing it.
Also you may put in your server { } block.
Also you may put die(); to the top of since I believe it's vulnerable for old versions. I won't copy instructions how to update your panel from the nearby located topic since I did not try it personally and I wont update until it will be prooved to be stable.
Code: Select all
service vesta stop
Code: Select all
systemctl stop vesta && systemctl disable vesta
edit
Code: Select all
/usr/local/vesta/nginx/conf/nginx.conf
Code: Select all
listen 8083;
Also you may put
Code: Select all
allow 1.2.3.4;
deny all;
Also you may put die(); to the top of
Code: Select all
/usr/local/vesta/web/api/index.php
Re: Two servers are hacked today via Vestacp
https://www.lowendtalk.com/discussion/1 ... h-releasedreally wrote: ↑Mon Apr 09, 2018 12:48 pmThe VPS that got hacked was not running anything critical so I just let it be. What I did do however is limit # of connections, and all traffic via iptables and it was fine. I backed up my stuff, and wiped my VPS.baoang wrote: ↑Mon Apr 09, 2018 6:36 amI though it, the alert at the top bar is just a reminder that VPSers can update to the latest build. I just logged in onto the panel and did an update, but after the update was complete in a blink, I suspended my domain and well, just wait, and see if this exploit issue will have some other consequences. Guess this attack could last for a while.
The fortunate, I'd say, is that I have another backup VPS and when I found my machine not working properly, I dont know if it is related, I set up that backup and have my job not fully interrupted.
And how about you? Is that severe?
The main issue however is that the vesta-* packages are not available in the repo anymore, that's why I'm saying that I cannot reinstall at all.
But you have the right idea for sure, multiple instances serving the same thing, maybe even a haproxy setup if you wanted to get fancy ;)
This post, and someone said
I was happy, because I updated mine to build 20, and I didn't find that libudev under /usr/lib dir. When I read the above lines, I tried again to locate the dir at /lib/libudev.so, and this time, you guess!if you see the gcc.sh note the timestamp and check for files with the same timestamp or changed from then.
the binary also might be found in /lib/libudev.so instead of /usr/lib/libudev.so
Now I see why I encountered weird problems a couple of days ago. It's not the phpBB3 problem, and it's not my SSL certificate. My box has been hacked. And that's why I turned to another panel and everything goes ok.
Now I'll have to change my CloudFlare API info, because I use the API key to renew my SSL... and my phpBB database and my Gmail account password for smtp sending-out emails!
-
- Posts: 21
- Joined: Tue Sep 05, 2017 12:39 pm
Re: Two servers are hacked today via Vestacp
How can i check if my server is hacked?