All VestaCP installations being attacked Topic is solved

[realjumy]

Hello everyone.

Since this morning I have noticed that all the VestaCP installations I have, and all the VestaCP installations of my friends, are being attacked. All of them had extra features such as Fail2Ban and the VestaCP panel port changed to a non-standard one.

In one case at least, the attack have been stopped by my hosting company. All the other installations simply stopped working.

I know that they have access to my ssh and that they added functions to clean the history of the ssh on log out, so I don't think this is easy to check, but please, check all of your logs, and check for hidden, strange files/folders.

[k26]

hello, some of my sites are down as well today, I'm not an expert yet of centos/vestacp
what can I do to stop the attack, to correct and make my site up again ?
also, how can that happen ? Is VestaCP secure enough ?

[realjumy]

hello, some of my sites are down as well today, I'm not an expert yet of centos/vestacp
what can I do to stop the attack, to correct and make my site up again ?
also, how can that happen ? Is VestaCP secure enough ?

Usually VestaCP is fairly secure, but sometimes some vulnerabilities are exploited by undesirable people. Check all your logs constantly to be sure that all your servers are safe.

[bggg]

Thanks for this. I usually ignore system update etc.

Just to make sure the checklist for hardening the system:
viewtopic.php?t=14346

[realjumy]

Thanks for the link.

Today I woke up with the same problem. My servers and my friend's servers have been compromised.

Our servers were following all those recommendations, and even so they have fallen. The only thing they had in common is having VestaCP installed. I wiped my servers the other day, and the security was strengthen.

[realjumy]

Actually, I just checked and a famous website where they compare different panels and servers configurations, and that I know it was using VestaCP, is also down. There might be some vulnerability somewhere in VestaCP.

If a developer wants to know more, I still have access to two of the infected servers.

[trom]

now problem is solved?
If I install new vesta on new server?

[realjumy]

The problem is still the same. I will not install any instance of VestaCP until I'm 100% sure they sorted this problem. I have 4 servers myself with important data, and I'm not taking any risk.

[skurudo]

If a developer wants to know more, I still have access to two of the infected servers.

Hello,
if you can provide access to those servers, please do it via [email protected]

[ctrlpac]

The problem is still the same. I will not install any instance of VestaCP until I'm 100% sure they sorted this problem. I have 4 servers myself with important data, and I'm not taking any risk.

I've PM'ed you for that. I'm a computer forense analyst. I could help ;)