Got 10 VestaCP servers exploited

crackerizer · Post by **crackerizer** » Sun Apr 08, 2018 2:29 pm

@StudioMaX, could you delete the quote?
I have rebooted my VPS to rescue mode for inspection.

ivcha92 · Post by **ivcha92** » Sun Apr 08, 2018 2:30 pm

lukapaunovic wrote: ↑
Sun Apr 08, 2018 2:13 pm
@dpeca brother found out this

https://github.com/serghey-rodin/vesta/ ... ex.php#L71

Unescaped

I don't think issue is there since it cannot be executed if session is not validated. I am more concerned with password field escaping since it will be executed on each login attempt so there is no need to have valid password or hash to execute it

Post by **imperio** » Sun Apr 08, 2018 2:31 pm

I think we found a vulnerability. Fix will be today

ivcha92 · Post by **ivcha92** » Sun Apr 08, 2018 2:36 pm

imperio wrote: ↑
Sun Apr 08, 2018 2:31 pm
I think we found a vulnerability. Fix will be today

Can we get more info, a hint to what module issue is related ? Can we be sure that is absolutely not related to RoundCube since I have servers on VestaCp which are sill operational. Vesta service is of course disabled.

crackerizer · Post by **crackerizer** » Sun Apr 08, 2018 2:38 pm

I'm glad to hear. Can't wait to see the commit.

jodumont · Post by **jodumont** » Sun Apr 08, 2018 2:39 pm

Just to remove some water on the fire
This same hack append to me almost a year ago
on a server where I use ISPConfig.

With a Terabytes connection the ISP (exoscale) charge me 2000$ for a almost 48h of DDOS
they never showed me the log ;)

So All that to say it's not specific to VestaCP

If I may, make a recommendation; I personally block the port 8083 and only use the VestaCP via a ssh redirection
something like

ssh user@server -L8083:localhost:8083

ivcha92 · Post by **ivcha92** » Sun Apr 08, 2018 2:43 pm

jodumont wrote: ↑
Sun Apr 08, 2018 2:39 pm
Just to remove some water on the fire
This same hack append to me almost a year ago
on a server where I use ISPConfig.

With a Terabytes connection the ISP (exoscale) charge me 2000$ for a almost 48h of DDOS
they never showed me the log ;)

So All that to say it's not specific to VestaCP

If I may, make a recommendation; I personally block the port 8083 and only use the VestaCP via a ssh redirection
something like

ssh user@server -L8083:localhost:8083

I may be also good idea to set up VPN and allow vesta connection only via VPN

Prime · Post by **Prime** » Sun Apr 08, 2018 2:59 pm

I think the main issue here is the fact that the API runs as root... that is a major security hole alone.

vesta92 · Post by **vesta92** » Sun Apr 08, 2018 3:02 pm

I'm not a server expert but my two customers VPS is Down who running Vestacp.
Please help me anyone, I need help badly.

jodumont · Post by **jodumont** » Sun Apr 08, 2018 3:02 pm

ivcha92 wrote: ↑
Sun Apr 08, 2018 2:43 pm

I may be also good idea to set up VPN and allow vesta connection only via VPN

this is true
but you could also make a bastion than only authorize it
use TINC or only authorize the port 8083 through TOR
authorise only your VPN provider or pay for a static IP at home and authorise only this one
and so on ...

I was mentioning the SSH solution because it take 2sec to put in place and don't add any charge/service/process on the server.

Vesta Control Panel - Forum

Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Login • Register