We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
-
- Posts: 73
- Joined: Sun Dec 03, 2017 6:30 pm
Re: Got 10 VestaCP servers exploited
After this the best thing to do is to get backups and reinstall server and restore it
It's hassle free and you'll keep peace of mind
It's hassle free and you'll keep peace of mind
Re: Got 10 VestaCP servers exploited
Just did an update using CLI please note that /usr/local/vesta/nginx/nginx.conf was not updated
Access log should be manualy enabled after update for easier debugging in future
Access log should be manualy enabled after update for easier debugging in future
Re: Got 10 VestaCP servers exploited
everything is still the same with my server.
I already deleted /lib/libudev.so and gcc.sh it just keeps coming back
and these random letters in /etc/init.d
I already deleted /lib/libudev.so and gcc.sh it just keeps coming back
and these random letters in /etc/init.d
Re: Got 10 VestaCP servers exploited
try to search and kill active virus process (procesess)I already deleted /lib/libudev.so and gcc.sh it just keeps coming back
Re: Got 10 VestaCP servers exploited
Thanks.
I chmod 0000 first the libudev.so before removing it like what your link said.
Removing it head on will just instantly generate a new one.
Looks like that my server is stable now. Ill give update to this thread.
Re: Got 10 VestaCP servers exploited
Version 0.9.8-20 Dose not seem to be released for Debain 9.
Code: Select all
apt-get -qq update &&apt-cache show vesta|grep "Version"
Version: 0.9.8-19
-
- Posts: 11
- Joined: Sun Apr 08, 2018 12:08 pm
- Os: Ubuntu 15x
- Web: nginx + php-fpm
Re: Got 10 VestaCP servers exploited
Updated to V20 but still monitoring.
for the POST log, it seems like the hacker removed my IP from his pool. No trace of access from him since.
for the POST log, it seems like the hacker removed my IP from his pool. No trace of access from him since.
Re: Got 10 VestaCP servers exploited
I am also monitoring. 1 hr after, so far so good.
Im not sure if I was out of his pool, but definitely the viruses are not replicating itself anymore.
How did someone knew the people who uses vestacp anyway?
Im not sure if I was out of his pool, but definitely the viruses are not replicating itself anymore.
How did someone knew the people who uses vestacp anyway?
Re: Got 10 VestaCP servers exploited
For those people that want to help us with honeypots.
In /usr/local/vesta/web/api/index.php
after first line, please add this line:
In /usr/local/vesta/web/login/index.php
after first line, please add this line:
Then, via SSH, do from your computer (or from other server), and when you see strange codes send us to [email protected]
DO NOT this on production servers (because file will contains all passwords and file will be readable for any user on server)
In /usr/local/vesta/web/api/index.php
after first line, please add this line:
Code: Select all
file_put_contents('/tmp/postlog.txt', 'API: '.$_SERVER["REMOTE_ADDR"] . ' = ' . print_r($_POST, true), FILE_APPEND);
after first line, please add this line:
Code: Select all
file_put_contents('/tmp/postlog.txt', 'LOGIN: '.$_SERVER["REMOTE_ADDR"] . ' = ' . print_r($_POST, true), FILE_APPEND);
Code: Select all
tailf /tmp/postlog.txt
DO NOT this on production servers (because file will contains all passwords and file will be readable for any user on server)
Re: Got 10 VestaCP servers exploited
I everyone I just want to ask few simple questions :
I am on Ubuntu 16.04 - Apache Nginx
the entire install is on https (letsencrypt)
One note with my install is that Roundcube does not function at this time
database connection error... Will fix that later
I have turn off my server at this time. Will upgrade ASAP
Thanks and good Luck guys
PS: my Host emailed me about this issue.
- Were any of the VestCP install on HTTPS ?
- Is it a good idea to change VestaCP port 8083 ? (= stealth mode)
I am on Ubuntu 16.04 - Apache Nginx
the entire install is on https (letsencrypt)
One note with my install is that Roundcube does not function at this time
database connection error... Will fix that later
I have turn off my server at this time. Will upgrade ASAP
Thanks and good Luck guys
PS: my Host emailed me about this issue.