We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
Re: Got 10 VestaCP servers exploited
Mag37 wrote: ↑Mon Apr 09, 2018 1:38 amI everyone I just want to ask few simple questions :
- Were any of the VestCP install on HTTPS ?
My instalation is and did not get hacked (I have turned it off as I write)
- Is it a good idea to change VestaCP port 8083 ? (= stealth mode)
I am on Ubuntu 16.04 - Apache Nginx
the entire install is on https (letsencrypt)
One note with my install is that Roundcube does not function at this time
database connection error... Will fix that later
I have turn off my server at this time. Will upgrade ASAP
Thanks and good Luck guys
PS: my Host emailed me about this issue.
Were any of the VestCP install on HTTPS ? - Yes. All of my sites and vestacp
Is it a good idea to change VestaCP port 8083 ? (= stealth mode) - I had mine on a different port. But still got hacked.. but yes, this is still a good idea
Re: Got 10 VestaCP servers exploited
Can it be confirmed whether the patch contained generic security fixes that were proposed to potentially be connected or if the patch is designed to directly address the common attack vector used to compromise servers in the last 48 hours?
Re: Got 10 VestaCP servers exploited
in my case :
all vesta which are not install exim and dovecot are safe
--exim no --dovecot no (while install)
but some of my vesta which install exim and dovecot were infected with gcc.sh
all vesta which are not install exim and dovecot are safe
--exim no --dovecot no (while install)
but some of my vesta which install exim and dovecot were infected with gcc.sh
Re: Got 10 VestaCP servers exploited
To add to that, I shut down the panel on two servers hosting hundreds of customers late last night (US/Central, roughly 20h ago) which had every service installed. These had not been compromised.
I highly suspect that the attackers were going through IP ranges and had/have not gotten to every range yet. You and I are fortunate to only have to say "panel is down for now." :)
-
- Posts: 21
- Joined: Thu May 21, 2015 6:00 am
Re: Got 10 VestaCP servers exploited
I run a host that uses vestacp for the API, so I had patched everything but also made a script to change the port from 8083 to 5600 and changed the firewall to add the port.
If you want to use, the command is
You can see the code directly at http://www.nodehost.ca/scripts/sh/vestacp_changeport.sh and it will show what it will do, this is also the code below just incase you want to make it in your own file and run.
Hope this helps for anyone wanting to quickly change the port.
If you want to use, the command is
Code: Select all
curl http://www.nodehost.ca/scripts/sh/vestacp_changeport.sh > vestacp_changeport.sh && bash vestacp_changeport.sh
Code: Select all
echo "NodeHost Custom VESTACP Script"
echo "JOB: Changing VESTACP port"
string="listen 8083;"
stringnew="listen 5600;"
grep "$stringnew" /usr/local/vesta/nginx/conf/nginx.conf || sed -i "s/$string/$stringnew/g" /usr/local/vesta/nginx/conf/nginx.conf
echo "JOB: Complete"
echo "JOB: Changing VESTACP firewall rule for new port"
v-add-firewall-rule ACCEPT 0.0.0.0/0 5600 TCP
echo "JOB: Complete"
echo "JOB: Restarting VESTACP"
service vesta restart
echo "JOB: Complete"
echo "JOB: Port has been changed to 5600 from 8083"
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
This is the fastest easiest SSH Command line to change your VestaCP port. I'm changing it here with 8383, you can replace 8383 with any other (uncommon) port number if you want.
# DROP 8083 in Firewall (if you want to block)
Double check if it shows DROP for 8083
If you are still not able to login at your custom port, stop firewall
then restart firewall from within your WebUI
Note: Seasoned admins may want to restrict access to WebUI for only their known IP... so replace ACCEPT 0.0.0.0/0 with your IP
Code: Select all
sed -i 's/8083;/8383;/' /usr/local/vesta/nginx/conf/nginx.conf
/usr/local/vesta/bin/v-add-firewall-rule ACCEPT 0.0.0.0/0 8383 TCP gVestaCP
# DROP 8083 in Firewall (if you want to block)
Code: Select all
sed -i -e '/8083/ s/ACCEPT/DROP/' /usr/local/vesta/data/firewall/rules.conf
Code: Select all
nano /usr/local/vesta/data/firewall/rules.conf
Code: Select all
v-update-firewall
systemctl restart vesta
Code: Select all
/usr/local/vesta/bin/v-stop-firewall
Note: Seasoned admins may want to restrict access to WebUI for only their known IP... so replace ACCEPT 0.0.0.0/0 with your IP
Re: Got 10 VestaCP servers exploited
Do these lines close(block) my 8083 port? if not, how to completely close 8083 port?mehargags wrote: ↑Mon Apr 09, 2018 3:06 amThis is the fastest easiest SSH Command line to change your VestaCP port. I'm changing it here with 8383, you can replace 8383 with any other (uncommon) port number if you want.
If you are still not able to login at your custom port, stop firewallCode: Select all
sed -i 's/8083;/8383;/' /usr/local/vesta/nginx/conf/nginx.conf /usr/local/vesta/bin/v-add-firewall-rule ACCEPT 0.0.0.0/0 8383 TCP gVestaCP v-update-firewall systemctl restart vesta
then restart firewall from within your WebUICode: Select all
/usr/local/vesta/bin/v-stop-firewall
-
- Support team
- Posts: 1096
- Joined: Sat Sep 06, 2014 9:58 pm
- Contact:
- Os: Debian 8x
- Web: apache + nginx
Re: Got 10 VestaCP servers exploited
Ok
I updated the post...so read it again.
DROP 8083 in Firewall (if you want to block)
Code: Select all
sed -i -e '/8083/ s/ACCEPT/DROP/' /usr/local/vesta/data/firewall/rules.conf
Code: Select all
nano /usr/local/vesta/data/firewall/rules.conf
-
- Posts: 21
- Joined: Thu May 21, 2015 6:00 am
Re: Got 10 VestaCP servers exploited
mehargags wrote: ↑Mon Apr 09, 2018 3:06 amThis is the fastest easiest SSH Command line to change your VestaCP port. I'm changing it here with 8383, you can replace 8383 with any other (uncommon) port number if you want.
Code: Select all
sed -i 's/8083;/8383;/' /usr/local/vesta/nginx/conf/nginx.conf /usr/local/vesta/bin/v-add-firewall-rule ACCEPT 0.0.0.0/0 8383 TCP gVestaCP
# DROP 8083 in Firewall (if you want to block)Double check if it shows DROP for 8083Code: Select all
sed -i -e '/8083/ s/ACCEPT/DROP/' /usr/local/vesta/data/firewall/rules.conf
nano /usr/local/vesta/data/firewall/rules.conf
If you are still not able to login at your custom port, stop firewallCode: Select all
v-update-firewall systemctl restart vesta
then restart firewall from within your WebUICode: Select all
/usr/local/vesta/bin/v-stop-firewall
Note: Seasoned admins may want to restrict access to WebUI for only their known IP... so replace ACCEPT 0.0.0.0/0 with your IP
Awesome! I forgot about using sed to use it in one script
Re: Got 10 VestaCP servers exploited
Same here, my Server was using NGINX plus Apache2.
Hetzner suspended one of my server a week after i installed VESTACP and told me that it could be Vestacp, seing this thread im sure its vestacp.
Hetzner suspended one of my server a week after i installed VESTACP and told me that it could be Vestacp, seing this thread im sure its vestacp.