Vesta Control Panel - Forum

realjumy wrote: ↑

Tue Sep 25, 2018 8:33 pm

I'm having a lot of SSH penetration attempts since this morning, coming from everywhere.

Frankly it would surprising if you didn't before. Most of us get thousands+ per day on every computer connected to the internet.

Yes, login attempts are something that is happening nonstop...

I just published some random attempts. But I never had this many coming from the EU...

Hello,

Everyone running SSH on port 22? Did anyone here get hacked while having SSH firewalled by IP or running on a non-standard port?

Thank you

He obviously entered via SSH because he deleted /var/log/secure and auth.log .
But mistery is HOW he got SSH.

dpeca wrote: ↑

Tue Sep 25, 2018 11:39 pm

He obviously entered via SSH because he deleted /var/log/secure and auth.log .
But mistery is HOW he got SSH.

No, not that obvious to me, dpeca. There are things called "callback" that connect from the inside to the outside giving a shell. So, if people having SSH off got hacked I would look for something like that.

MrCraac wrote: ↑

Tue Sep 25, 2018 2:30 pm

Hi, 21 servers hacked , all hosted by OVH. All of them with random ports.
We really need to have feedback about what was the issue and how it worked, until then , our servers are going back to plesk :(

Was there any evidence of port scanning prior to the attack targeting the VestaCP port? There must have been port scanning if the ports were truly random (each server with a different random port).

My Vestacp (installed from 12/9/2018, Ubuntu 18.04) also was hacked.
I got an email from VPS provider they said my server was used for DDOS attack and Vesta CP was the cause of the issue.

mericson wrote: ↑

Wed Sep 26, 2018 5:34 am

MrCraac wrote: ↑

Tue Sep 25, 2018 2:30 pm

Hi, 21 servers hacked , all hosted by OVH. All of them with random ports.
We really need to have feedback about what was the issue and how it worked, until then , our servers are going back to plesk :(

Was there any evidence of port scanning prior to the attack targeting the VestaCP port? There must have been port scanning if the ports were truly random (each server with a different random port).

All my servers were objective of port scanning since always. The matter is if they managed to enter that way.

Can anyone confirm that fail2ban works properly?

realjumy wrote: ↑

Wed Sep 26, 2018 9:30 am

mericson wrote: ↑

Wed Sep 26, 2018 5:34 am

MrCraac wrote: ↑

Tue Sep 25, 2018 2:30 pm

Hi, 21 servers hacked , all hosted by OVH. All of them with random ports.
We really need to have feedback about what was the issue and how it worked, until then , our servers are going back to plesk :(

Was there any evidence of port scanning prior to the attack targeting the VestaCP port? There must have been port scanning if the ports were truly random (each server with a different random port).

All my servers were objective of port scanning since always. The matter is if they managed to enter that way.

Can anyone confirm that fail2ban works properly?

to bad for me.. I turned fail2ban off weeks ago because of the much ram usage... I added a second ip address and now running via a extra firewall for filtering my network traffic, its now little bit safer to use i hope