Page 13 of 24
Re: All VestaCP installations being attacked
Posted: Mon Oct 01, 2018 11:54 am
by maman
dpeca wrote: ↑Mon Oct 01, 2018 8:56 am
When you are an attacker, and when you scan a milion of IP addresses, you don't have 15 minutes per one IP (to scan all 65535 ports)... you just check 22, 8083, eventualy 2022 or 2222, and then you go to next IP...
maybe if i'm the attacker i will not do like that.
here's what i will do instead:
From that millions ip i need to filter which is using VESTACP (maybe by fecthing each http://[IP-ADDRESS] and see which has 'Powered by VESTA' in it).
So for that millions ip maybe I get 5000 IP that uses VESTA using that 1 fingerprint. Now the the target is way way way smaller to do the port scanning.
Re: All VestaCP installations being attacked
Posted: Mon Oct 01, 2018 12:00 pm
by dpeca
maman wrote: ↑Mon Oct 01, 2018 11:54 am
maybe if i'm the attacker i will not do like that.
here's what i will do instead:
From that millions ip i need to filter which is using VESTACP (maybe by fecthing each http://[IP-ADDRESS] and see which has 'Powered by VESTA' in it).
So for that millions ip maybe I get 5000 IP that uses VESTA using that 1 fingerprint. Now the the target is way way way smaller to do the port scanning.
Maybe that can explain how servers with changed port get hacked...
Re: All VestaCP installations being attacked
Posted: Tue Oct 02, 2018 12:30 pm
by pqpk2009
flanders wrote: ↑Mon Oct 01, 2018 11:08 am
I have 3 servers with vesta. Only 1 is attacked.Always the same server. 2 servers are working well (they are in the same host), that attacked is in other host. I rebuild it many times, changed ip server, hostname, password, ssh port, permit root login without-password but each day it is attacked... I don't know how solve this situation....
Admin account default password change?
If there is no modification, the password generation algorithm is cracked.
Re: All VestaCP installations being attacked
Posted: Tue Oct 02, 2018 4:35 pm
by Spheerys
How can I check if my server is compromised ?
Re: All VestaCP installations being attacked
Posted: Tue Oct 02, 2018 6:13 pm
by pqpk2009
Spheerys wrote: ↑Tue Oct 02, 2018 4:35 pm
How can I check if my server is compromised ?
It seems that there is no way to know DDOS after hijacking attacks China's servers.
Re: All VestaCP installations being attacked
Posted: Thu Oct 04, 2018 12:10 pm
by httpd
Official comments from vesta developers whether will written?
Re: All VestaCP installations being attacked
Posted: Thu Oct 04, 2018 12:30 pm
by flanders
I rebuild my server. Now I changed the vestacp port too (only access with key, custom ssh port, protocol 2) it is working from 2 days for me. The only difference from the last attack is the vestacp port.
Re: All VestaCP installations being attacked
Posted: Fri Oct 05, 2018 10:11 am
by kandalf
How can we know if our server is compromised?
Re: All VestaCP installations being attacked
Posted: Mon Oct 08, 2018 12:53 pm
by mehargags
None of the panels uses Nginx as reverse proxy to Apache... thats a big plus for Vesta hands down. The biggest reason for performance on a default config. Atleast that was the most attractive point for me 5 years back when I started using it
Re: All VestaCP installations being attacked
Posted: Mon Oct 08, 2018 2:20 pm
by Akinola
Razza wrote: ↑Tue Sep 25, 2018 4:55 pm
My dev server got compromise as the password for admin user got changed, lucky I had the shell for admin user set to rssh so that attempt to run the payload in /var/tmp got blocked.
Heres the attempted command run via ssh from ip:45.76.146.8 command: echo "9WlgVjGkot" | sudo -S -p "" chmod 0777 /var/tmp/creator-x86_64-1 && echo "9WlgVjGkot" | sudo -S -p "" /var/tmp/creator-x86_64-1 &>/dev/null && echo "9WlgVjGkot" | sudo -S -p "" rm -f /var/log/auth.log /var/log/secure
Here the virustotal of the payload
https://www.virustotal.com/#/file/b2c55 ... /detection will provide creator-x86_64-1 file to the admin on request.
Thanks for the link.