We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on Vesta 2.0 and expect to release it by the end of 2024. Read more about it: https://vestacp.com/docs/vesta-2-development
All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
This just proves that it is the time to move on, VestaCP was great, but we just can't trust it anymore. As a developer for most of my life I can state that there is literally NO reason to EVER send a password somewhere, encrypted or not.
Re: All VestaCP installations being attacked
I now start to think that the security hole that came up back in April could've been made intentionaly too.
I've also checked this fork https://github.com/madeITBelgium/vesta and it seems promising, as it is updated nearly every day and does not use the repositories of Vesta. I'm going to switch to VirtualMin soon though
I've also checked this fork https://github.com/madeITBelgium/vesta and it seems promising, as it is updated nearly every day and does not use the repositories of Vesta. I'm going to switch to VirtualMin soon though
Re: All VestaCP installations being attacked
I'm sorry about inactivity in this post from our side. It was a complex issue and we were not sure we understand the whole picture. Leak in the installer is just one piece of the puzzle. All pieces together lead to cumulative effect.
The issue number one
Our infrastructure server was hacked. Presumably using API bug in the release 0.9.8-20. The hackers then changed all installation scripts to log admin password and ip as addition to the distro name we used to collect stats.
Please check if your server IP here
>>>>> http://vestacp.com/test/?ip=127.0.0.1 <<<<<
If it's there you should change admin passwords as soon as possible. Also please make sure there is no /usr/bin/dhcprenew binary installed on your server. This binary is some sort of trojan that is able to launch remote DDoS attack or open shell to your server
When launched it hides as [kworker/1:1] process
The issue number two
However the first issue didn't explain few affected servers. Luckily security experts from https://arcturussecurity.com helped us to uncover another security vulnerability.
The new release will be available in next few hours.
I will keep you posted
The issue number one
Our infrastructure server was hacked. Presumably using API bug in the release 0.9.8-20. The hackers then changed all installation scripts to log admin password and ip as addition to the distro name we used to collect stats.
Please check if your server IP here
>>>>> http://vestacp.com/test/?ip=127.0.0.1 <<<<<
If it's there you should change admin passwords as soon as possible. Also please make sure there is no /usr/bin/dhcprenew binary installed on your server. This binary is some sort of trojan that is able to launch remote DDoS attack or open shell to your server
Code: Select all
root@localhost:~! strings /usr/bin/dhcprenew
last-modified
If-Modified-Since:%s
http://193.201.224.238:8852/RTEGFN01;http://zxcvbmnnfjjfwq.com:8852/RTEGFN01;http://efbthmoiuykmkjkjgt.com:8852/RTEGFN01
/data/local/tmp/tmp.l
When launched it hides as [kworker/1:1] process
Code: Select all
root 3308 0.0 0.0 272 52 ? Ss Sep24 0:00 [kworker/1:1]
root 3362 0.0 0.1 5596 1296 ? Ss Sep24 0:09 [kworker/1:1]
root 3363 0.0 0.0 5248 940 ? S Sep24 0:12 \_ [kworker/1:1]
The issue number two
However the first issue didn't explain few affected servers. Luckily security experts from https://arcturussecurity.com helped us to uncover another security vulnerability.
The new release will be available in next few hours.
I will keep you posted
Re: All VestaCP installations being attacked
Thank you for the explanation, it explains pretty much most of the things. Glad the project is not dead.
A suggestion for future: aim for total transparency, update users more, use HTTPS on the repository and config servers, make r.vestacp.com and c.vestacp.com browsable so users could see when certain file was changes.
A suggestion for future: aim for total transparency, update users more, use HTTPS on the repository and config servers, make r.vestacp.com and c.vestacp.com browsable so users could see when certain file was changes.
Re: All VestaCP installations being attacked
Thank you for suggestions. Remote config server c.vestacp.com is now deprecated. The server is still up and running but the new installer doesn't use it anymore. All service configuration files are installed from the vesta package.harry wrote: ↑Wed Oct 17, 2018 8:45 pmThank you for the explanation, it explains pretty much most of the things. Glad the project is not dead.
A suggestion for future: aim for total transparency, update users more, use HTTPS on the repository and config servers, make r.vestacp.com and c.vestacp.com browsable so users could see when certain file was changes.
Code: Select all
VESTA='/usr/local/vesta'
release=$(grep -o "[0-9]" /etc/redhat-release |head -n1)
codename="${os}_$release"
vestacp="$VESTA/install/$VERSION/$release"
....
cp -f $vestacp/httpd/httpd.conf /etc/httpd/conf/
In other words we have
- eliminated the risk that c.vestacp.com could affect new installations in any way
- removed distro stats notification from the installer to avoid any related risks
Re: All VestaCP installations being attacked
Any further information? Awaiting the update.
Re: All VestaCP installations being attacked
Finally the new release is available.
Please update your server as soon as possible.
Release notes for 0.9.8-23
- Security fix for timing attack on password reset. Thanks to https://arcturussecurity.com
- Security fix for v-open-fs-config. Its visibility is limited to /etc and /var/lib directories
- Security check for/usr/bin/dhcprenew binary. If found checker notifies server administrator
- Security improvement for sudo. It is now limited to vesta scripts only and doesn't allow admin to execute any other command
- Security improvement: admin password and database passwords are generated individually
- Security improvement: new installer doesn't use c.vestacp.com as source for the configuration files. Configs are bundled inside vesta package
- Security improvement: installer doesn't send any information to vestacp.com after successful installation. It used to send distro name for usage statistics.
Please update your server as soon as possible.
Release notes for 0.9.8-23
- Security fix for timing attack on password reset. Thanks to https://arcturussecurity.com
- Security fix for v-open-fs-config. Its visibility is limited to /etc and /var/lib directories
- Security check for/usr/bin/dhcprenew binary. If found checker notifies server administrator
- Security improvement for sudo. It is now limited to vesta scripts only and doesn't allow admin to execute any other command
- Security improvement: admin password and database passwords are generated individually
- Security improvement: new installer doesn't use c.vestacp.com as source for the configuration files. Configs are bundled inside vesta package
- Security improvement: installer doesn't send any information to vestacp.com after successful installation. It used to send distro name for usage statistics.
Re: All VestaCP installations being attacked
For Centos:
Code: Select all
yum update vesta\*
Re: All VestaCP installations being attacked
Code: Select all
[root@vpszcka ~]# yum update vesta
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.hosting90.cz
* epel: mirror.spreitzer.ch
* extras: mirror.hosting90.cz
* remi: remi.schlundtech.de
* remi-php55: remi.schlundtech.de
* remi-php56: remi.schlundtech.de
* remi-safe: remi.schlundtech.de
* remi-test: remi.schlundtech.de
* updates: mirror.hosting90.cz
No packages marked for update