Page 19 of 24
Re: All VestaCP installations being attacked
Posted: Wed Oct 17, 2018 7:19 pm
by Prime_
imperio wrote: ↑Wed Oct 17, 2018 7:11 pm
Now we are working under fix
Errr, what about all the passwords that were sent in something similar to plaintext to your servers? This reply is honestly not going to cut it.
Re: All VestaCP installations being attacked
Posted: Wed Oct 17, 2018 7:28 pm
by harry
This just proves that it is the time to move on, VestaCP was great, but we just can't trust it anymore. As a developer for most of my life I can state that there is literally NO reason to EVER send a password somewhere, encrypted or not.
Re: All VestaCP installations being attacked
Posted: Wed Oct 17, 2018 7:36 pm
by harry
I now start to think that the security hole that came up back in April could've been made intentionaly too.
I've also checked this fork
https://github.com/madeITBelgium/vesta and it seems promising, as it is updated nearly every day and does not use the repositories of Vesta. I'm going to switch to VirtualMin soon though
Re: All VestaCP installations being attacked
Posted: Wed Oct 17, 2018 8:25 pm
by skid
I'm sorry about inactivity in this post from our side. It was a complex issue and we were not sure we understand the whole picture. Leak in the installer is just one piece of the puzzle. All pieces together lead to cumulative effect.
The issue number one
Our infrastructure server was hacked. Presumably using API bug in the release 0.9.8-20. The hackers then changed all installation scripts to log admin password and ip as addition to the distro name we used to collect stats.
Please check if your server IP here
>>>>>
http://vestacp.com/test/?ip=127.0.0.1 <<<<<
If it's there you should change admin passwords as soon as possible. Also please make sure there is no /usr/bin/dhcprenew binary installed on your server. This binary is some sort of trojan that is able to launch remote DDoS attack or open shell to your server
Code: Select all
root@localhost:~! strings /usr/bin/dhcprenew
last-modified
If-Modified-Since:%s
http://193.201.224.238:8852/RTEGFN01;http://zxcvbmnnfjjfwq.com:8852/RTEGFN01;http://efbthmoiuykmkjkjgt.com:8852/RTEGFN01
/data/local/tmp/tmp.l
When launched it hides as [kworker/1:1] process
Code: Select all
root 3308 0.0 0.0 272 52 ? Ss Sep24 0:00 [kworker/1:1]
root 3362 0.0 0.1 5596 1296 ? Ss Sep24 0:09 [kworker/1:1]
root 3363 0.0 0.0 5248 940 ? S Sep24 0:12 \_ [kworker/1:1]
However the first issue didn't explain few affected servers. Luckily security experts from
https://arcturussecurity.com helped us to uncover another security vulnerability.
The new release will be available in next few hours.
I will keep you posted
Re: All VestaCP installations being attacked
Posted: Wed Oct 17, 2018 8:45 pm
by harry
Thank you for the explanation, it explains pretty much most of the things. Glad the project is not dead.
A suggestion for future: aim for total transparency, update users more, use HTTPS on the repository and config servers, make r.vestacp.com and c.vestacp.com browsable so users could see when certain file was changes.
Re: All VestaCP installations being attacked
Posted: Wed Oct 17, 2018 10:18 pm
by skid
harry wrote: ↑Wed Oct 17, 2018 8:45 pm
Thank you for the explanation, it explains pretty much most of the things. Glad the project is not dead.
A suggestion for future: aim for total transparency, update users more, use HTTPS on the repository and config servers, make r.vestacp.com and c.vestacp.com browsable so users could see when certain file was changes.
Thank you for suggestions. Remote config server c.vestacp.com is now deprecated. The server is still up and running but the new installer doesn't use it anymore. All service configuration files are installed from the vesta package.
Code: Select all
VESTA='/usr/local/vesta'
release=$(grep -o "[0-9]" /etc/redhat-release |head -n1)
codename="${os}_$release"
vestacp="$VESTA/install/$VERSION/$release"
....
cp -f $vestacp/httpd/httpd.conf /etc/httpd/conf/
The package is built using github repo as the config source. And we believe Github provides the best tracking for config changes. When package is ready it is signed using pgp and then pushed to the r.vestacp.com or apt.vestacp.com package repository.
In other words we have
- eliminated the risk that c.vestacp.com could affect new installations in any way
- removed distro stats notification from the installer to avoid any related risks
Re: All VestaCP installations being attacked
Posted: Thu Oct 18, 2018 4:06 am
by chrisf
Any further information? Awaiting the update.
Re: All VestaCP installations being attacked
Posted: Thu Oct 18, 2018 8:58 am
by skid
Finally the new release is available.
Please update your server as soon as possible.
Release notes for 0.9.8-23
- Security fix for timing attack on password reset. Thanks to
https://arcturussecurity.com
- Security fix for v-open-fs-config. Its visibility is limited to /etc and /var/lib directories
- Security check for/usr/bin/dhcprenew binary. If found checker notifies server administrator
- Security improvement for sudo. It is now limited to vesta scripts only and doesn't allow admin to execute any other command
- Security improvement: admin password and database passwords are generated individually
- Security improvement: new installer doesn't use c.vestacp.com as source for the configuration files. Configs are bundled inside vesta package
- Security improvement: installer doesn't send any information to vestacp.com after successful installation. It used to send distro name for usage statistics.
Re: All VestaCP installations being attacked
Posted: Thu Oct 18, 2018 9:38 am
by Stesh
Re: All VestaCP installations being attacked
Posted: Thu Oct 18, 2018 10:45 am
by someuser
Code: Select all
[root@vpszcka ~]# yum update vesta
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.hosting90.cz
* epel: mirror.spreitzer.ch
* extras: mirror.hosting90.cz
* remi: remi.schlundtech.de
* remi-php55: remi.schlundtech.de
* remi-php56: remi.schlundtech.de
* remi-safe: remi.schlundtech.de
* remi-test: remi.schlundtech.de
* updates: mirror.hosting90.cz
No packages marked for update
It's Okay?