Возможная уязвимость в Vesta 0.9.8-22 Topic is solved

[nitsik]

Сегодня hetzner таки заблокировал мой сервер...

Your server with the above-mentioned IP address has carried out an attack on another server on the Internet.
This has placed a considerable strain on network resources and, as a result, a segment of our network has been adversely affected.
Your server has therefore been deactivated as a precautionary measure.
A corresponding log history is attached at the end of this email.
For guidelines on how to proceed next please see:
http://wiki.hetzner.de/index.php/Leitfa ... perrung/en
If you have any questions or requests, please send us a support request via your Robot administration interface (https://robot.your-server.de).
Please log in to Robot using your login. Then click on the user icon in the upper right hand corner and then on "Support". Under "Unblock requests" please select the corresponding Blocking ID and return the completed form to us.
We shall reply to your support request as soon as we can.
Best regards
Your Hetzner Online Team

17:20:01.535683 IP x.x.x.x.27695 > 144.0.2.180.80: Flags [S], seq
3474773060, win 29200, options [mss 1460,sackOK,TS val 3166624 ecr
0,nop,wscale 7], length 0
17:20:01.535686 IP x.x.x.x.36580 > 144.0.2.180.80: Flags [S], seq
2480678434, win 29200, options [mss 1460,sackOK,TS val 489705888 ecr
0,nop,wscale 7], length 0
17:20:01.535689 IP x.x.x.x.34343 > 144.0.2.180.80: Flags [S], seq
2402040718, win 29200, options [mss 1460,sackOK,TS val 472928672 ecr
0,nop,wscale 7], length 0
17:20:01.535692 IP x.x.x.x.12315 > 144.0.2.180.80: Flags [S], seq
1757047511, win 29200, options [mss 1460,sackOK,TS val 489705888 ecr
0,nop,wscale 7], length 0
17:20:01.535696 IP x.x.x.x.27818 > 144.0.2.180.80: Flags [S], seq
3102996489, win 29200, options [mss 1460,sackOK,TS val 489705888 ecr
0,nop,wscale 7], length 0
17:20:01.535699 IP x.x.x.x.40772 > 144.0.2.180.80: Flags [S], seq
3497870033, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535702 IP x.x.x.x.37549 > 144.0.2.180.80: Flags [S], seq
1795236364, win 29200, options [mss 1460,sackOK,TS val 120607136 ecr
0,nop,wscale 7], length 0
17:20:01.535705 IP x.x.x.x.48555 > 144.0.2.180.80: Flags [S], seq
4212691322, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535709 IP x.x.x.x.37187 > 144.0.2.180.80: Flags [S], seq
1475914477, win 29200, options [mss 1460,sackOK,TS val 506483104 ecr
0,nop,wscale 7], length 0
17:20:01.535712 IP x.x.x.x.17637 > 144.0.2.180.80: Flags [S], seq
3188296917, win 29200, options [mss 1460,sackOK,TS val 506483104 ecr
0,nop,wscale 7], length 0
17:20:01.535716 IP x.x.x.x.23562 > 144.0.2.180.80: Flags [S], seq
3070838377, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535719 IP x.x.x.x.34314 > 144.0.2.180.80: Flags [S], seq
3326372764, win 29200, options [mss 1460,sackOK,TS val 472928672 ecr
0,nop,wscale 7], length 0
17:20:01.535722 IP x.x.x.x.30536 > 144.0.2.180.80: Flags [S], seq
1840493217, win 29200, options [mss 1460,sackOK,TS val 120607136 ecr
0,nop,wscale 7], length 0
17:20:01.535726 IP x.x.x.x.44745 > 144.0.2.180.80: Flags [S], seq
1178266727, win 29200, options [mss 1460,sackOK,TS val 3166624 ecr
0,nop,wscale 7], length 0
17:20:01.535729 IP x.x.x.x.22192 > 144.0.2.180.80: Flags [S], seq
38758796, win 29200, options [mss 1460,sackOK,TS val 472928672 ecr
0,nop,wscale 7], length 0
17:20:01.535732 IP x.x.x.x.50199 > 144.0.2.180.80: Flags [S], seq
2338111890, win 29200, options [mss 1460,sackOK,TS val 120607136 ecr
0,nop,wscale 7], length 0
17:20:01.535735 IP x.x.x.x.35768 > 144.0.2.180.80: Flags [S], seq
749722850, win 29200, options [mss 1460,sackOK,TS val 489705888 ecr
0,nop,wscale 7], length 0
17:20:01.535739 IP x.x.x.x.59767 > 144.0.2.180.80: Flags [S], seq
432024200, win 29200, options [mss 1460,sackOK,TS val 489705888 ecr
0,nop,wscale 7], length 0
17:20:01.535742 IP x.x.x.x.3066 > 144.0.2.180.80: Flags [S], seq
3089275800, win 29200, options [mss 1460,sackOK,TS val 120607136 ecr
0,nop,wscale 7], length 0
17:20:01.535745 IP x.x.x.x.32684 > 144.0.2.180.80: Flags [S], seq
772701555, win 29200, options [mss 1460,sackOK,TS val 120607136 ecr
0,nop,wscale 7], length 0
17:20:01.535748 IP x.x.x.x.46081 > 144.0.2.180.80: Flags [S], seq
2456438419, win 29200, options [mss 1460,sackOK,TS val 3166624 ecr
0,nop,wscale 7], length 0
17:20:01.535751 IP x.x.x.x.63621 > 144.0.2.180.80: Flags [S], seq
4292747884, win 29200, options [mss 1460,sackOK,TS val 489705888 ecr
0,nop,wscale 7], length 0
17:20:01.535755 IP x.x.x.x.34998 > 144.0.2.180.80: Flags [S], seq
1276406787, win 29200, options [mss 1460,sackOK,TS val 120607136 ecr
0,nop,wscale 7], length 0
17:20:01.535758 IP x.x.x.x.45565 > 144.0.2.180.80: Flags [S], seq
1952748956, win 29200, options [mss 1460,sackOK,TS val 489705888 ecr
0,nop,wscale 7], length 0
17:20:01.535761 IP x.x.x.x.10881 > 144.0.2.180.80: Flags [S], seq
864042716, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535764 IP x.x.x.x.25740 > 144.0.2.180.80: Flags [S], seq
844860645, win 29200, options [mss 1460,sackOK,TS val 120607136 ecr
0,nop,wscale 7], length 0
17:20:01.535768 IP x.x.x.x.41698 > 144.0.2.180.80: Flags [S], seq
4143246330, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535771 IP x.x.x.x.33675 > 144.0.2.180.80: Flags [S], seq
4234421352, win 29200, options [mss 1460,sackOK,TS val 3166624 ecr
0,nop,wscale 7], length 0
17:20:01.535774 IP x.x.x.x.29561 > 144.0.2.180.80: Flags [S], seq
3259913835, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535781 IP x.x.x.x.48206 > 144.0.2.180.80: Flags [S], seq
1763901178, win 29200, options [mss 1460,sackOK,TS val 3166624 ecr
0,nop,wscale 7], length 0
17:20:01.535785 IP x.x.x.x.16012 > 144.0.2.180.80: Flags [S], seq
4267317511, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535788 IP x.x.x.x.40429 > 144.0.2.180.80: Flags [S], seq
2948934565, win 29200, options [mss 1460,sackOK,TS val 3166624 ecr
0,nop,wscale 7], length 0
17:20:01.535791 IP x.x.x.x.32397 > 144.0.2.180.80: Flags [S], seq
284228193, win 29200, options [mss 1460,sackOK,TS val 120607136 ecr
0,nop,wscale 7], length 0
17:20:01.535794 IP x.x.x.x.4589 > 144.0.2.180.80: Flags [S], seq
3691689388, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535798 IP x.x.x.x.19138 > 144.0.2.180.80: Flags [S], seq
4274879265, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535801 IP x.x.x.x.50831 > 144.0.2.180.80: Flags [S], seq
692759421, win 29200, options [mss 1460,sackOK,TS val 472928672 ecr
0,nop,wscale 7], length 0
17:20:01.535804 IP x.x.x.x.705 > 144.0.2.180.80: Flags [S], seq
1646993093, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535807 IP x.x.x.x.22919 > 144.0.2.180.80: Flags [S], seq
3127903511, win 29200, options [mss 1460,sackOK,TS val 506483104 ecr
0,nop,wscale 7], length 0
17:20:01.535811 IP x.x.x.x.32892 > 144.0.2.180.80: Flags [S], seq
2255729455, win 29200, options [mss 1460,sackOK,TS val 506483104 ecr
0,nop,wscale 7], length 0
17:20:01.535814 IP x.x.x.x.53169 > 144.0.2.180.80: Flags [S], seq
3922977329, win 29200, options [mss 1460,sackOK,TS val 456151456 ecr
0,nop,wscale 7], length 0
17:20:01.535817 IP x.x.x.x.46265 > 144.0.2.180.80: Flags [S], seq
398975431, win 29200, options [mss 1460,sackOK,TS val 489705888 ecr
0,nop,wscale 7], length 0
17:20:01.535821 IP x.x.x.x.33022 > 144.0.2.180.80: Flags [S], seq
1804994818, win 29200, options [mss 1460,sackOK,TS val 489705888 ecr
0,nop,wscale 7], length 0

Разработчики панели, может скажете что-нибудь, или сможете помочь?

[leobeer]

У меня тоже хецнер заблокировал сервер (
Что можно сделать ?

[nightflash]

Подтверждаю проблему. Hetzner заблокировал сервер.

[artweb_]

Dear Sir or Madam

Your server with the above-mentioned IP address has carried out an attack on another server on the Internet.

This has placed a considerable strain on network resources and, as a result, a segment of our network has been adversely affected.

Your server has therefore been deactivated as a precautionary measure.

Hetzner, начал блочить, найс, просто найс у меня ещё 10 серваков на весте...

[nightflash]

Добавил IP в правила iptables. Запретил исходящие на него. Сейчас попробую подать заявку на разблокировку, помониторю...

Update: Фиг...

Dear Client,
Your server was responsible for this traffic and caused an attack.
Please you have to take the right measures to solve this problem and to avoid this happening again.
You could also reinstall your server to be sure that your server is not compromised.Please have a closer look at your Server and how to secure it.
We would like to avoid further network abuse from your end.
I'm afraid we can't unblock your server until the problem is solved. You may use a KVM console or the white list option to gain access to your server. For more details please refer to:

[inakma87]

Закрыл доступ по порту 8083.
Вроде открыли доступ

[hookz]

Боты по 8083 порту долбят?

[inakma87]

Не знаю, возможно есть уязвимость в веб-морде, по запуску скрипта начинает долбить. Аксесс логов у морды нет, поэтому выяснить не получится. Просто закрыл и всё

[Alex Connor]

Аксесс логов у морды нет, поэтому выяснить не получится

а не проще ли добавить эти логи в конфиге, и смотреть потом, что к чему?

[imperio]

Обновите сервера до 23 версии