Page 9 of 24

Re: All VestaCP installations being attacked

Posted: Fri Sep 28, 2018 12:13 am
by luizjr
dpeca wrote:
Wed Sep 26, 2018 12:33 pm
The same arguments are still here - why EU datracenters is untouched then....
If this is true as 10 of my servants left, being that they are in Montreal in Canada

Re: All VestaCP installations being attacked

Posted: Fri Sep 28, 2018 1:08 am
by dpeca
I didn't think of OVH datacenters in EU, because it looks like attacker scans all OVH datacenters, including EU datacenters.

I rather thought of EU companies that has EU datacenters... OVH competitors...

Because he obviously knows only OVH IP rangs...
Maybe IP rangs of Digitalocean and AWS too...

Re: All VestaCP installations being attacked

Posted: Fri Sep 28, 2018 1:16 am
by luizjr
dpeca wrote:
Fri Sep 28, 2018 1:08 am
I didn't think of OVH datacenters in EU, because it looks like attacker scans all OVH datacenters, including EU datacenters.

I rather thought of EU companies that has EU datacenters... OVH competitors...

Because he obviously knows only OVH IP rangs...
Maybe IP rangs of Digitalocean and AWS too...
Based on all the information, do you have any idea how to solve it?
I have 2 servers that have been locked back in the air for investigation.

I can share one with you via private message.

Re: All VestaCP installations being attacked

Posted: Fri Sep 28, 2018 1:45 am
by dpeca
luizjr wrote:
Fri Sep 28, 2018 1:16 am
Based on all the information, do you have any idea how to solve it?
I have 2 servers that have been locked back in the air for investigation.

I can share one with you via private message.
Generally, Serghey and Anton do investigations, you can send SSH logins to info@vestacp.com
My rang is 'Collaborator', I'm personally not sure if it means that I'm core developer, even I have permission to push commits directly to official github.
Serghey and Anton probably reviewed a lot machines in last few days, maybe they are busy with doing it.
Let it be your decision if you want to send me login for investigation.
You can send it to info@vestacp.com, they will forward it to me if they are busy with other investigations.
Or you can send it to me anyway, I will share with them if they want to investigate too.
You decide, since I'm only 'Collaborator', and since you will share probably sensitive data from server in that case.

Keep in mind that I can do that for 9 hours until now.
(it's 3:48 AM night at my country, it's really late... i must sleep :)

Re: All VestaCP installations being attacked

Posted: Fri Sep 28, 2018 5:28 am
by compiz
May I add that also my vestacp is being attacked for a few days now, i don't have user pwd for room, just ssh and it seems it is working well for protection but i see all the time exim4 is down and I can't access e-mails nor a few domains, latest one is, I made a nextcloud site and I can't access it at all from nextcloud clients but only from web interface

Re: All VestaCP installations being attacked

Posted: Fri Sep 28, 2018 12:58 pm
by bountysite
hello,

Has anyone been able to detect the vulnerability?
From the updates, it seems like an exploit without login.

Re: All VestaCP installations being attacked

Posted: Fri Sep 28, 2018 2:36 pm
by lukapaunovic
We are at DEFCON 1

Re: All VestaCP installations being attacked

Posted: Fri Sep 28, 2018 2:59 pm
by pqpk2009
I have more than 100 servers that are attacked by VESTA, which is a large number of SSHD attacks.

The server without VESTA is not attacked.

Re: All VestaCP installations being attacked

Posted: Fri Sep 28, 2018 3:02 pm
by pqpk2009
I have more than 100 servers that are attacked by VESTA, which is a large number of SSHD attacks.

The server without VESTA is not attacked.

Re: All VestaCP installations being attacked

Posted: Fri Sep 28, 2018 4:12 pm
by maman
I have 5 servers with OVH in multiple locations. none of them affected.

What i do is I use my own VestaCP Improved installer (CentOS only)

For those of you with other OS you can read what steps I do to hardening VestaCP here:
=> https://github.com/erikdemarco/VestaCP-Improved

Lastly I never never never ever use vestacp default installation without any additional hardening steps.