Page 10 of 24
Re: All VestaCP installations being attacked
Posted: Sat Sep 29, 2018 12:49 am
by realjumy
Maverick87Shaka wrote: ↑Thu Sep 27, 2018 9:07 am
@realjumy can you try to edit you original post adding a poll asking the infected server? Maybe It's help to understand how many server was infected.
Just a simple question on Number of server infected, and people select how many of their server was infected ;)
The problem with all this is that if we start sharing too much info about our configurations we are making things easier to anyone willing to repeat a similar attack.
Try to disclose as less as possible in public, and write in private to
[email protected]. They are the ones that can really fix it.
Re: All VestaCP installations being attacked
Posted: Sat Sep 29, 2018 5:51 am
by pqpk2009
realjumy wrote: ↑Sat Sep 29, 2018 12:49 am
Maverick87Shaka wrote: ↑Thu Sep 27, 2018 9:07 am
@realjumy can you try to edit you original post adding a poll asking the infected server? Maybe It's help to understand how many server was infected.
Just a simple question on Number of server infected, and people select how many of their server was infected ;)
The problem with all this is that if we start sharing too much info about our configurations we are making things easier to anyone willing to repeat a similar attack.
Try to disclose as less as possible in public, and write in private to
[email protected]. They are the ones that can really fix it.
How should I repair it?
Re: All VestaCP installations being attacked
Posted: Sat Sep 29, 2018 11:58 am
by realjumy
pqpk2009 wrote: ↑Sat Sep 29, 2018 5:51 am
realjumy wrote: ↑Sat Sep 29, 2018 12:49 am
Maverick87Shaka wrote: ↑Thu Sep 27, 2018 9:07 am
@realjumy can you try to edit you original post adding a poll asking the infected server? Maybe It's help to understand how many server was infected.
Just a simple question on Number of server infected, and people select how many of their server was infected ;)
The problem with all this is that if we start sharing too much info about our configurations we are making things easier to anyone willing to repeat a similar attack.
Try to disclose as less as possible in public, and write in private to
[email protected]. They are the ones that can really fix it.
How should I repair it?
The problem is that we don't know yet how to repair it. The only thing you can do is downloading the backups and double checking that they are updated (I noticed the last backups I had were created on May).
You need to install a fresh server and upload only the files after checking carefully for virus and other rubbish.
But all that doesn't warranty right now that your server will be safe. Not yet.
Re: All VestaCP installations being attacked
Posted: Sat Sep 29, 2018 6:20 pm
by pqpk2009
realjumy wrote: ↑Sat Sep 29, 2018 11:58 am
pqpk2009 wrote: ↑Sat Sep 29, 2018 5:51 am
realjumy wrote: ↑Sat Sep 29, 2018 12:49 am
The problem with all this is that if we start sharing too much info about our configurations we are making things easier to anyone willing to repeat a similar attack.
Try to disclose as less as possible in public, and write in private to
[email protected]. They are the ones that can really fix it.
How should I repair it?
The problem is that we don't know yet how to repair it. The only thing you can do is downloading the backups and double checking that they are updated (I noticed the last backups I had were created on May).
You need to install a fresh server and upload only the files after checking carefully for virus and other rubbish.
But all that doesn't warranty right now that your server will be safe. Not yet.
This loophole appeared in April, and it still exists. I think there is no hope!!!
Ready to imitate VESTA to write API function, I use it myself.
Re: All VestaCP installations being attacked
Posted: Sat Sep 29, 2018 10:00 pm
by slaapkopamy
for the peeps who are using proxmox, if you running in a lxc without a firewall from proxmox then its a good idea to seal it off that only the ports what you are using make it open or semi open for incoming and outcoming traffic. And set your rate limit to like 25mb/s.
I did it after my ip address got blocked by ovh and after installing the firewall and changed root password + vesta port there is not yet any ip blocks.
Its not the solution but its a tempory idea
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 11:43 am
by egglan
damn. Woke up this morning and 5 of my servers have been compromised.
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 11:58 am
by skamasle
I want to take a look to this issue too.
The better way to handle vesta security is deny access in /etc/hosts.deny and /etc/hosts.allow to vesta panel and ssh, prevent acess
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 1:45 pm
by agus
egglan wrote: ↑Sun Sep 30, 2018 11:43 am
damn. Woke up this morning and 5 of my servers have been compromised.
what is the clue that your server compromised?
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 3:47 pm
by dpeca
pqpk2009 wrote: ↑Sat Sep 29, 2018 6:20 pm
This loophole appeared in April, and it still exists. I think there is no hope!!!
That April 'hole' is fixed.
Believe me.
Hole from Jun is also fixed (api.php).
This is probably third hole, and my assumption is that some PHP script on 8083 port is vulnerable.
I advice to stop vesta service until we definitely find it and fix it.
Re: All VestaCP installations being attacked
Posted: Sun Sep 30, 2018 4:29 pm
by pqpk2009
Is this a loophole? Why not fix it? This is the latest installation package code.
------------------------- 8083/api/index.php
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)