We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
The problem isn't fixed and therefore it's a not a good idea to leave it open.. you'll just end up with another infected machine.soguor wrote: ↑Sun Apr 08, 2018 4:07 pmHi, I've two vps on ovh with attack, I downloaded the three last backups of vesta from /backup and was reinstalled the S.O. (Debian 9) with vestacp. I was restore the backup on new installation and change port of vestacp. At the moment, i monitoring and don't see anything wrong. On my VPSs, the archives of /backup don't they affected (at the moment).
Re: Got 10 VestaCP servers exploited
Experienced the same hack on my VestaCP server (CentOS 7.x) earlier today, came across this thread only now. Deleting the malicious script only caused gcc.sh to reinstall it. Followed the steps outlined here: https://superuser.com/a/1004724 to change /lib/ folder permissions, secure cron permissions, delete the initial scripts, and afterwards deleted the libudev.so file.
Note that a cron is added to both the cron.hourly file as well as the cron.hourly/ folder
Hope this helps someone!
Note that a cron is added to both the cron.hourly file as well as the cron.hourly/ folder
Hope this helps someone!
Re: Got 10 VestaCP servers exploited
I know the risk, but can't have this servers stopped.Prime wrote: ↑Sun Apr 08, 2018 4:14 pmThe problem isn't fixed and therefore it's a not a good idea to leave it open.. you'll just end up with another infected machine.soguor wrote: ↑Sun Apr 08, 2018 4:07 pmHi, I've two vps on ovh with attack, I downloaded the three last backups of vesta from /backup and was reinstalled the S.O. (Debian 9) with vestacp. I was restore the backup on new installation and change port of vestacp. At the moment, i monitoring and don't see anything wrong. On my VPSs, the archives of /backup don't they affected (at the moment).
-
- Posts: 31
- Joined: Wed Jul 13, 2016 1:35 pm
Re: Got 10 VestaCP servers exploited
so it isn't roundcube issue rather vulnerability is in vesta core files and vesta team assured security patch tomorrow. Wait for it.
Re: Got 10 VestaCP servers exploited
Thanks for sharing this link. I cannot access Vesta GUI today on my DigialOcean servers. This DigitalOcean message saying they have blocked inbound traffic to 8083 seems to explain it (I have other servers on Vultr which still work). Once DigitalOcean re-opens the access to 8083, what is recommended so that I can protect my Vesta GUI?
Prime wrote: ↑Sun Apr 08, 2018 3:35 pmWonder how many hosts that are infected, considering this...
https://status.digitalocean.com/incidents/jzszyktwsrssCode: Select all
Our engineering team continues to work to resolve the networking issue impacting our NYC regions. We believe a previously undisclosed vulnerability in software by some customers on their Droplets is allowing for denial of service (DoS) attacks against targets outside of DigitalOcean. Our Trust & Safety team is also engaged to resolve this incident; in an effort to protect unaffected Droplets, we will block inbound traffic to TCP/8083. We will continue to post updates here as more information becomes available, and we will provide additional guidance for customers to determine whether their Droplets are impacted, and how to work around the block to continue to safely access their software.
Re: Got 10 VestaCP servers exploited
they can only blocks ports during attacks the main issue is the CP script we're using. As DDOS attack are not allowed on 99% of hosts.vesta_mtl wrote: ↑Sun Apr 08, 2018 5:52 pmThanks for sharing this link. I cannot access Vesta GUI today on my DigialOcean servers. This DigitalOcean message saying they have blocked inbound traffic to 8083 seems to explain it (I have other servers on Vultr which still work). Once DigitalOcean re-opens the access to 8083, what is recommended so that I can protect my Vesta GUI?
Prime wrote: ↑Sun Apr 08, 2018 3:35 pmWonder how many hosts that are infected, considering this...
https://status.digitalocean.com/incidents/jzszyktwsrssCode: Select all
Our engineering team continues to work to resolve the networking issue impacting our NYC regions. We believe a previously undisclosed vulnerability in software by some customers on their Droplets is allowing for denial of service (DoS) attacks against targets outside of DigitalOcean. Our Trust & Safety team is also engaged to resolve this incident; in an effort to protect unaffected Droplets, we will block inbound traffic to TCP/8083. We will continue to post updates here as more information becomes available, and we will provide additional guidance for customers to determine whether their Droplets are impacted, and how to work around the block to continue to safely access their software.
Re: Got 10 VestaCP servers exploited
If you can access to your server via SSH, you are able to change the port of VestaCP right now.
- Choose a new port
- If it's neccesary, open the new port in your firewall
- Edit your VestaCP nginx config
Code: Select all
/usr/local/vesta/nginx/conf/nginx.conf
- Search for this line and modify 8083 with your new port
Code: Select all
server {
listen 8083;
- Restart your server or, at least VestaCP and your firewall
- Then, you can close 8083 in your firewall if you want
- Check if you are able to connect to your VestaCP installation in the new port