Page 8 of 24
Re: All VestaCP installations being attacked
Posted: Wed Sep 26, 2018 9:58 pm
by iddir
vikhyat wrote: ↑Wed Sep 26, 2018 6:48 pm
I suggest switching to SSH key only login which according to me is a really simple and best fix without worrying about new hacks as I have experienced it.
Hi, i have been hacked in april/may and now again (yesterday, 2 Clouds) and i'm only using SSH key to log.
So you won't be safe for this hack even if you are using ssh key.
EDIT: vesta installed since august for both cloud that has been hacked yesterday.
i now remember another hack from the 1st august were i did DDOS to the same IP as other people who have been hacked in september (myself included).
Attack detail : 10Kpps/81Mbps
dateTime srcIp:srcPort dstIp:dstPort protocol flags packets bytes reason
2018.08.01 10:33:41 CEST 176.31.115.152:13003
144.0.2.180:80 TCP SYN
This one was installed since january and got hacked the 1st august
Re: All VestaCP installations being attacked
Posted: Thu Sep 27, 2018 12:45 am
by Liam
Here's the attack log my provider gave me, with my VM's IP Address being replaced with <VM IP>.
Code: Select all
ipv4 2 tcp 6 40 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=12558 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=12558 mark=0 secmark=0 use=2
ipv4 2 tcp 6 2 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=62127 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=62127 mark=0 secmark=0 use=2
ipv4 2 tcp 6 92 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=33896 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=33896 mark=0 secmark=0 use=2
ipv4 2 tcp 6 26 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=29526 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=29526 mark=0 secmark=0 use=2
ipv4 2 tcp 6 45 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=47494 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=47494 mark=0 secmark=0 use=2
ipv4 2 tcp 6 98 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=11174 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=11174 mark=0 secmark=0 use=2
ipv4 2 tcp 6 70 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=649 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=649 mark=0 secmark=0 use=2
ipv4 2 tcp 6 35 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=6718 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=6718 mark=0 secmark=0 use=2
ipv4 2 tcp 6 42 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=21999 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=21999 mark=0 secmark=0 use=2
ipv4 2 tcp 6 95 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=5797 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=5797 mark=0 secmark=0 use=2
ipv4 2 tcp 6 17 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=46857 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=46857 mark=0 secmark=0 use=2
ipv4 2 tcp 6 81 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=53976 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=53976 mark=0 secmark=0 use=2
ipv4 2 tcp 6 22 SYN_SENT src=<VM IP> dst=116.211.168.63 sport=59385 dport=80 [UNREPLIED] src=116.211.168.63 dst=<VM IP> sport=80 dport=59385 mark=0 secmark=0 use=2
ipv4 2 tcp 6 117 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=42659 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=42659 mark=0 secmark=0 use=2
ipv4 2 tcp 6 18 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=55428 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=55428 mark=0 secmark=0 use=2
ipv4 2 tcp 6 61 SYN_SENT src=<VM IP> dst=121.29.57.214 sport=55477 dport=80 [UNREPLIED] src=121.29.57.214 dst=<VM IP> sport=80 dport=55477 mark=0 secmark=0 use=2
I hope this is the same vulnerability and not another unknown exploit. These stopped when I changed my SSH port, changed the 'admin' password and installed CSF with SYNFLOOD protection. I have VestaCP's GUI turned off while we still have no idea what's going on.
If there are any logs the admins wish to see I'd be more than happy to check my infected instance and pass them on.
Re: All VestaCP installations being attacked
Posted: Thu Sep 27, 2018 7:56 am
by dpeca
vikhyat wrote: ↑Wed Sep 26, 2018 6:48 pm
I suggest switching to SSH key only login which according to me is a really simple and best fix without worrying about new hacks as I have experienced it.
Better idea -
https://www.ostechnix.com/allow-deny-ss ... oup-linux/
Code: Select all
vi /etc/ssh/sshd_config
#add
PermitRootLogin without-password
DenyUsers admin
systemctl restart sshd
but anyway this will not prevent system compromising if somewhere he can execute shell commands...
Re: All VestaCP installations being attacked
Posted: Thu Sep 27, 2018 9:07 am
by Maverick87Shaka
@realjumy can you try to edit you original post adding a poll asking the infected server? Maybe It's help to understand how many server was infected.
Just a simple question on Number of server infected, and people select how many of their server was infected ;)
Re: All VestaCP installations being attacked
Posted: Thu Sep 27, 2018 11:16 am
by pksh71
Dear All,
All my VPS at OVH is attacked and is suspended by OVH this happened on 24-sep-2018. we have almost 103 VPS in OVH.
We have no way to get our data out from OVH VPS as they dont allow us.
what can we do?
regards
Re: All VestaCP installations being attacked
Posted: Thu Sep 27, 2018 1:10 pm
by ScIT
pksh71 wrote: ↑Thu Sep 27, 2018 11:16 am
Dear All,
All my VPS at OVH is attacked and is suspended by OVH this happened on 24-sep-2018. we have almost 103 VPS in OVH.
We have no way to get our data out from OVH VPS as they dont allow us.
what can we do?
regards
i dont know a lot about OVH, but I think you can ask them to boot the server in rescue mode to recover your data - just contact their support.
Re: All VestaCP installations being attacked
Posted: Thu Sep 27, 2018 3:01 pm
by httpd
pksh71 wrote: ↑Thu Sep 27, 2018 11:16 am
Dear All,
All my VPS at OVH is attacked and is suspended by OVH this happened on 24-sep-2018. we have almost 103 VPS in OVH.
We have no way to get our data out from OVH VPS as they dont allow us.
what can we do?
regards
Support of firstvds.ru can block all ports for my vps, except ssh, and them turn on server. Maybe you can trought this way?
Re: All VestaCP installations being attacked
Posted: Thu Sep 27, 2018 5:58 pm
by mp2017
Also got a notification from AWS that my server is involved into DoS on that chinese IP - i've checked and confirm that my server is compromised and Vesta is not opening.
starting to getting tired of this s#it.
Re: All VestaCP installations being attacked
Posted: Fri Sep 28, 2018 12:04 am
by luizjr
ctrlpac wrote: ↑Tue Sep 25, 2018 12:11 pm
That's seems a CRITICAL issue. I need to identify that.
Please @vestacp team, if you need any help, don't hesitate to contact me!
As it is an open source and has knowledge for such, you can rather help and show them the solution.
The faster the better.
Re: All VestaCP installations being attacked
Posted: Fri Sep 28, 2018 12:06 am
by luizjr
realjumy wrote: ↑Tue Sep 25, 2018 2:21 pm
dpeca wrote: ↑Tue Sep 25, 2018 2:15 pm
In what datacenter are those servers?
Mine and my friends' are in OVH. I don't know other people.
Mine too
On average 10 servers