Page 16 of 24

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 9:54 am
by dpeca
pqpk2009 wrote:
Wed Oct 10, 2018 9:51 am
This is the email sent by the German security agency. The other two infected servers are PM.
I know, because I get the same email when I forget to close NFS ports.
But that mail is just warning to you to close NFS ports.

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 10:01 am
by pqpk2009
ScIT wrote:
Wed Oct 10, 2018 8:03 am
pqpk2009 wrote:
Wed Oct 10, 2018 8:01 am
SSHD permissions were closed, but there was still an attack.

Problem finding procedure

/usr/local/vesta/nginx/sbin/vesta-nginx
was this a new attack? if yes, please send us server access using pm.
I have sent PM server root information.

Tell me your IP, I add it to SSHD.

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 11:57 am
by imperio
Alls who servers was hacked, let us know when your servers was installed.

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 1:13 pm
by flanders
my server was installed in september.
Then I rebuild it changing the panel port ( I already used custom ssh port, access ssh with key, access without password). From my last change (panel port) it is working well.
I'm using hetzner with centos 7 / apache+nginx+php7.2+mariadb10.3+csf

Re: All VestaCP installations being attacked

Posted: Wed Oct 10, 2018 2:17 pm
by pqpk2009
/usr/bin/dhcprenew

My infected server does not have this file.

Re: All VestaCP installations being attacked

Posted: Thu Oct 11, 2018 7:06 am
by ScIT
pqpk2009 wrote:
Wed Oct 10, 2018 2:17 pm
/usr/bin/dhcprenew

My infected server does not have this file.
The 2 we checked had it.

Re: All VestaCP installations being attacked

Posted: Thu Oct 11, 2018 8:51 am
by kandalf
pqpk2009 wrote:
Wed Oct 10, 2018 2:17 pm
/usr/bin/dhcprenew

My infected server does not have this file.
But how do you find that the servers were infected?

Re: All VestaCP installations being attacked

Posted: Thu Oct 11, 2018 10:36 am
by Falzo
so anything new on that? from what we can read so far here, is that only a few servers have been hit and the attacker somehow gained ssh access?
some had the vesta service running, some not... if that's the case a potential hacker would have needed to somehow get to know the admins password?

to those affected: do you allow admin for ssh access (default) and/or did you change the admin password after installation?

I haven't been affected this time (yet) and now am guessing that could be just because I don't allow admin for shell access...
BUT if the scenario is right, the (my) passwords could still be compromised, right? I don't like that idea.

Re: All VestaCP installations being attacked

Posted: Thu Oct 11, 2018 12:15 pm
by eduzro
My server was hacked in september. The Vesta service was running and I had SSH access enabled just for the admin user. I set the password with the installation command. I don't know if the file /usr/bin/dhcprenew was in the server.

Re: All VestaCP installations being attacked

Posted: Thu Oct 11, 2018 1:12 pm
by imperio
flanders,
Thank you for the information
eduzro, when your server was installed ?