Page 11 of 24
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 4:43 pm
by dpeca
There is nothing wrong with that code, just a secured way to check entered password.
But anyway, if I must assume where is a hole, login code, reset password and api.php are most suspicious places to me...
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 5:13 pm
by pqpk2009
dpeca wrote: ↑Sun Sep 30, 2018 4:43 pm
There is nothing wrong with that code, just a secured way to check entered password.
But anyway, if I must assume where is a hole, login code, reset password and api.php are most suspicious places to me...
$ v_password value is
'; v-add-fs-file ********;
exec(VESTA_CMD。“v-check-user-password”。$ v_user。“”。$ v_password。“'”。$ v_ip_addr。“'”,$ output,$ auth_code);
It seems that you can join shell.
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 5:17 pm
by dpeca
I will check now...
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 6:22 pm
by dpeca
pqpk2009 wrote: ↑Sun Sep 30, 2018 4:29 pm
Is this a loophole? Why not fix it? This is the latest installation package code.
------------------------- 8083/api/index.php
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)
I can not find a code that you quoted in current version of that file -
https://github.com/serghey-rodin/vesta/ ... /index.php
Actually, I can not find it even in other files.
From where you take it?
That could be a code from old versions of Vesta.
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 6:30 pm
by pqpk2009
dpeca wrote: ↑Sun Sep 30, 2018 6:22 pm
pqpk2009 wrote: ↑Sun Sep 30, 2018 4:29 pm
Is this a loophole? Why not fix it? This is the latest installation package code.
------------------------- 8083/api/index.php
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)
I can not find a code that you quoted in current version of that file -
https://github.com/serghey-rodin/vesta/ ... /index.php
Actually, I can not find it even in other files.
From where you take it?
That could be a code from old versions of Vesta.
The latest installation package installed on my server, installed in September the 20th.
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 6:31 pm
by pqpk2009
Installation is based on official website steps.
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 6:33 pm
by dpeca
I installed Vesta before one hour, I can not find that code at all.
How it's possible that you get code that is fixed before 6 months?
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 6:35 pm
by dpeca
Can you install new server instance and check if you get that code in api.php ?
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 6:36 pm
by pqpk2009
pqpk2009 wrote: ↑Sun Sep 30, 2018 6:30 pm
The latest installation package installed on my server, installed in September the 20th.
hoster: hetzner
This code is installed on my server, and the installation date is about September 20, downloaded from the official website address
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 6:39 pm
by pqpk2009
I can confirm that the server was installed in September.
I am in China, it is 2 in the morning, I need to go to the office about 8 hours later to confirm again.