We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
maybe if i'm the attacker i will not do like that.
here's what i will do instead:
From that millions ip i need to filter which is using VESTACP (maybe by fecthing each http://[IP-ADDRESS] and see which has 'Powered by VESTA' in it).
So for that millions ip maybe I get 5000 IP that uses VESTA using that 1 fingerprint. Now the the target is way way way smaller to do the port scanning.
Re: All VestaCP installations being attacked
Maybe that can explain how servers with changed port get hacked...maman wrote: ↑Mon Oct 01, 2018 11:54 ammaybe if i'm the attacker i will not do like that.
here's what i will do instead:
From that millions ip i need to filter which is using VESTACP (maybe by fecthing each http://[IP-ADDRESS] and see which has 'Powered by VESTA' in it).
So for that millions ip maybe I get 5000 IP that uses VESTA using that 1 fingerprint. Now the the target is way way way smaller to do the port scanning.
Re: All VestaCP installations being attacked
Admin account default password change?flanders wrote: ↑Mon Oct 01, 2018 11:08 amI have 3 servers with vesta. Only 1 is attacked.Always the same server. 2 servers are working well (they are in the same host), that attacked is in other host. I rebuild it many times, changed ip server, hostname, password, ssh port, permit root login without-password but each day it is attacked... I don't know how solve this situation....
If there is no modification, the password generation algorithm is cracked.
Re: All VestaCP installations being attacked
How can I check if my server is compromised ?
Re: All VestaCP installations being attacked
Official comments from vesta developers whether will written?
Re: All VestaCP installations being attacked
I rebuild my server. Now I changed the vestacp port too (only access with key, custom ssh port, protocol 2) it is working from 2 days for me. The only difference from the last attack is the vestacp port.
Re: All VestaCP installations being attacked
How can we know if our server is compromised?
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: All VestaCP installations being attacked
None of the panels uses Nginx as reverse proxy to Apache... thats a big plus for Vesta hands down. The biggest reason for performance on a default config. Atleast that was the most attractive point for me 5 years back when I started using it
Re: All VestaCP installations being attacked
Thanks for the link.Razza wrote: ↑Tue Sep 25, 2018 4:55 pmMy dev server got compromise as the password for admin user got changed, lucky I had the shell for admin user set to rssh so that attempt to run the payload in /var/tmp got blocked.
Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure
Here the virustotal of the payload https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.