Page 15 of 24

Re: All VestaCP installations being attacked

Posted: Tue Oct 09, 2018 11:15 pm
by kandalf
imperio wrote:
Tue Oct 09, 2018 5:03 pm
kandalf wrote:
Fri Oct 05, 2018 10:11 am
How can we know if our server is compromised?
if this file /usr/bin/dhcprenew exists on your server it means that it is hacked
Thank you very much, this was exactly what I was looking for.

My server are safe.

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 6:24 am
by pksh71
hi

My 3 servers at Hetzner also Hacked yesterday. hacker used it DDOS to a chines IP.
its service vesta was off.

what can i do?

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 6:40 am
by mehargags
Send access to your server to vesta team so we can check more

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 8:01 am
by pqpk2009
SSHD permissions were closed, but there was still an attack.

Problem finding procedure

/usr/local/vesta/nginx/sbin/vesta-nginx

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 8:03 am
by ScIT
pqpk2009 wrote:
Wed Oct 10, 2018 8:01 am
SSHD permissions were closed, but there was still an attack.

Problem finding procedure

/usr/local/vesta/nginx/sbin/vesta-nginx
was this a new attack? if yes, please send us server access using pm.

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 9:13 am
by neto737
Keep your servers safe, use keyfile instead password for SSH, and disable login with password. You can also change default SSH port. I’ve done it and everything is ok with my server.

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 9:32 am
by pqpk2009
ScIT wrote:
Wed Oct 10, 2018 8:03 am
pqpk2009 wrote:
Wed Oct 10, 2018 8:01 am
SSHD permissions were closed, but there was still an attack.

Problem finding procedure

/usr/local/vesta/nginx/sbin/vesta-nginx
was this a new attack? if yes, please send us server access using pm.
> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | *.*.*.* | 2018-10-09 06:41:17 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> 24940 | *.*.*.* | 2018-10-09 06:56:55 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 9:46 am
by dpeca
pqpk2009 wrote:
Wed Oct 10, 2018 9:32 am
ScIT wrote:
Wed Oct 10, 2018 8:03 am
pqpk2009 wrote:
Wed Oct 10, 2018 8:01 am
SSHD permissions were closed, but there was still an attack.

Problem finding procedure

/usr/local/vesta/nginx/sbin/vesta-nginx
was this a new attack? if yes, please send us server access using pm.
> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | *.*.*.* | 2018-10-09 06:41:17 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> 24940 | *.*.*.* | 2018-10-09 06:56:55 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
Dude, this does not look as attack to me.
If you leaved NFS ports open, Hetzner will just warn you.
It does not mean that server did any attack.

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 9:51 am
by pqpk2009
dpeca wrote:
Wed Oct 10, 2018 9:46 am
pqpk2009 wrote:
Wed Oct 10, 2018 9:32 am
ScIT wrote:
Wed Oct 10, 2018 8:03 am


was this a new attack? if yes, please send us server access using pm.
> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | *.*.*.* | 2018-10-09 06:41:17 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> 24940 | *.*.*.* | 2018-10-09 06:56:55 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
Dude, this does not look as attack to me.
If you leaved NFS ports open, Hetzner will just warn you.
It does not mean that server did any attack.
This is the email sent by the German security agency. The other two infected servers are PM.

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 9:52 am
by pqpk2009
pqpk2009 wrote:
Wed Oct 10, 2018 9:51 am
dpeca wrote:
Wed Oct 10, 2018 9:46 am
pqpk2009 wrote:
Wed Oct 10, 2018 9:32 am


> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | *.*.*.* | 2018-10-09 06:41:17 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> 24940 | *.*.*.* | 2018-10-09 06:56:55 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
Dude, this does not look as attack to me.
If you leaved NFS ports open, Hetzner will just warn you.
It does not mean that server did any attack.
This is the email sent by the German security agency. The other two infected servers are PM to ScIT.