Got 10 VestaCP servers exploited
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
@StudioMaX, could you delete the quote?
I have rebooted my VPS to rescue mode for inspection.
I have rebooted my VPS to rescue mode for inspection.
Re: Got 10 VestaCP servers exploited
I don't think issue is there since it cannot be executed if session is not validated. I am more concerned with password field escaping since it will be executed on each login attempt so there is no need to have valid password or hash to execute itlukapaunovic wrote: ↑Sun Apr 08, 2018 2:13 pm@dpeca brother found out this
https://github.com/serghey-rodin/vesta/ ... ex.php#L71
Unescaped
Re: Got 10 VestaCP servers exploited
I think we found a vulnerability. Fix will be today
Re: Got 10 VestaCP servers exploited
Can we get more info, a hint to what module issue is related ? Can we be sure that is absolutely not related to RoundCube since I have servers on VestaCp which are sill operational. Vesta service is of course disabled.
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
I'm glad to hear. Can't wait to see the commit.
Re: Got 10 VestaCP servers exploited
Just to remove some water on the fire
This same hack append to me almost a year ago
on a server where I use ISPConfig.
With a Terabytes connection the ISP (exoscale) charge me 2000$ for a almost 48h of DDOS
they never showed me the log ;)
So All that to say it's not specific to VestaCP
If I may, make a recommendation; I personally block the port 8083 and only use the VestaCP via a ssh redirection
something like
ssh user@server -L8083:localhost:8083
This same hack append to me almost a year ago
on a server where I use ISPConfig.
With a Terabytes connection the ISP (exoscale) charge me 2000$ for a almost 48h of DDOS
they never showed me the log ;)
So All that to say it's not specific to VestaCP
If I may, make a recommendation; I personally block the port 8083 and only use the VestaCP via a ssh redirection
something like
ssh user@server -L8083:localhost:8083
Re: Got 10 VestaCP servers exploited
I may be also good idea to set up VPN and allow vesta connection only via VPNjodumont wrote: ↑Sun Apr 08, 2018 2:39 pmJust to remove some water on the fire
This same hack append to me almost a year ago
on a server where I use ISPConfig.
With a Terabytes connection the ISP (exoscale) charge me 2000$ for a almost 48h of DDOS
they never showed me the log ;)
So All that to say it's not specific to VestaCP
If I may, make a recommendation; I personally block the port 8083 and only use the VestaCP via a ssh redirection
something like
ssh user@server -L8083:localhost:8083
Re: Got 10 VestaCP servers exploited
I think the main issue here is the fact that the API runs as root... that is a major security hole alone.
Re: Got 10 VestaCP servers exploited
I'm not a server expert but my two customers VPS is Down who running Vestacp.
Please help me anyone, I need help badly.
Please help me anyone, I need help badly.
Re: Got 10 VestaCP servers exploited
this is true
but you could also make a bastion than only authorize it
use TINC or only authorize the port 8083 through TOR
authorise only your VPN provider or pay for a static IP at home and authorise only this one
and so on ...
I was mentioning the SSH solution because it take 2sec to put in place and don't add any charge/service/process on the server.