Got 10 VestaCP servers exploited

kobo1d · Post by **kobo1d** » Mon Apr 09, 2018 3:16 pm

if the backdoor really is not shipped from the rep, it can be only a serious bug inside vestacp service, no matter which port you run and if its protected or not.
and i cant figure out how that should be possible...

until its clear and the update fully available, i still sugesst to stop your vesta main service.

darkworks · Post by **darkworks** » Mon Apr 09, 2018 3:20 pm

pipoy wrote: ↑
Mon Apr 09, 2018 2:58 pm
RevengeFNF wrote: ↑
Mon Apr 09, 2018 2:50 pm
n0x wrote: ↑
Mon Apr 09, 2018 2:43 pm

I don't think it was the repo - I had installations that were made 3 months ago and last updated in Jan 2018 suddenly get exploited around mid-day on Saturday 7th April.

This is almost definitely a vulnerability within the code, I would guess it allowed a malicious user to access the 'admin' account and execute given the update 0.9.8-20 that was released:
Code: Select all
Hardening password checks
Auth fix
Be interesting to know what was fixed without having to go through the code for a comparison to 0.9.8-19.
That doesn't explain how people that did have port 8083 blocked were hacked, because it means there was no access to the Web UI.
True. I had a different port in 1 of my server and still got hacked.

they can do port scan , so it does not matter if you were using 8083 or not ,

darkworks · Post by **darkworks** » Mon Apr 09, 2018 3:24 pm

good that my vps is safe :) . now hope they approve security enhancements , months ago multiple time i suggests 2 factor auths and google captcha but they decline it , childish arguments they give , i do not want to enter captcha for my own panel , now here you go hope you learned lesson

really · Post by **really** » Mon Apr 09, 2018 3:29 pm

darkworks wrote: ↑
Mon Apr 09, 2018 3:24 pm
good that my vps is safe :) . now hope they approve security enhancements , months ago multiple time i suggests 2 factor auths and google captcha but they decline it , childish arguments they give , i do not want to enter captcha for my own panel , now here you go hope you learned lesson

Tell me please, how would an extra anti-bruteforce mechanism prevent this hack from happening? Fail2ban is already doing that job in way that's less annoying to the user.

I myself am against captcha at login time. That's the dumbest non-security enhancing nuisance that happened to the internet as of late.

popcornphp · Post by **popcornphp** » Mon Apr 09, 2018 3:33 pm

really wrote: ↑
Mon Apr 09, 2018 3:29 pm
I myself am against captcha at login time. That's the dumbest non-security enhancing nuisance that happened to the internet as of late.

Developers can implode multi-factor authentication throught Telegram Bot API. But I think it will not help

darkworks · Post by **darkworks** » Mon Apr 09, 2018 3:38 pm

i have not heard anyone bypassed Google Authenticator. its looks safe to me , also its not about perfect security , it add security layer , it slow down attackers a bit , better than nothing.

vishne0 · Post by **vishne0** » Mon Apr 09, 2018 3:51 pm

There are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?

The above two questions will sort few things. I will post my report once I will have answers. Also if anyone need any help to clean the server or migration ping me. Cleaning will be free :)
Regards

kobo1d · Post by **kobo1d** » Mon Apr 09, 2018 3:55 pm

vishne0 wrote: ↑
Mon Apr 09, 2018 3:51 pm
There are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?

The above two questions will sort few things. I will post my report once I will have answers. Also if anyone need any help to clean the server or migration ping me. Cleaning will be free :)
Regards

1) yes
2) no - no password login and no root user - no pam
i am using pubkeys

darkworks · Post by **darkworks** » Mon Apr 09, 2018 3:57 pm

looks like my vps was also hit from china but fail2ban blocked IP : 210.13.64.18

Code: Select all

2018-04-09 06:27:38,027 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 202.120.79.106
2018-04-09 06:27:39,766 fail2ban.actions[471]: WARNING [ssh] Unban 202.120.79.106
2018-04-09 06:27:49,026 fail2ban.actions[471]: WARNING [exim-iptables] Ban 212.237.41.14
2018-04-09 06:37:49,613 fail2ban.actions[471]: WARNING [exim-iptables] Unban 212.237.41.14
2018-04-09 08:06:16,480 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 49.171.119.51
2018-04-09 08:06:19,376 fail2ban.actions[471]: WARNING [ssh] Ban 49.171.119.51
2018-04-09 08:11:26,819 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 42.7.26.88
2018-04-09 08:11:29,672 fail2ban.actions[471]: WARNING [ssh] Ban 42.7.26.88
2018-04-09 08:16:17,122 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 49.171.119.51
2018-04-09 08:16:19,949 fail2ban.actions[471]: WARNING [ssh] Unban 49.171.119.51
2018-04-09 08:21:27,452 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 42.7.26.88
2018-04-09 08:21:30,227 fail2ban.actions[471]: WARNING [ssh] Unban 42.7.26.88
2018-04-09 10:07:29,325 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 42.7.26.16
2018-04-09 10:07:32,074 fail2ban.actions[471]: WARNING [ssh] Ban 42.7.26.16
2018-04-09 10:17:29,926 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 42.7.26.16
2018-04-09 10:17:32,646 fail2ban.actions[471]: WARNING [ssh] Unban 42.7.26.16
2018-04-09 13:12:28,610 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 183.145.216.122
2018-04-09 13:22:29,213 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 183.145.216.122
2018-04-09 17:05:58,800 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 218.65.30.25
2018-04-09 17:15:59,423 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 218.65.30.25
2018-04-09 19:36:13,155 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 103.99.0.200
2018-04-09 19:46:13,749 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 103.99.0.200
2018-04-09 20:42:33,873 fail2ban.actions[471]: WARNING [ssh-iptables] Ban 210.13.64.18
2018-04-09 20:52:34,472 fail2ban.actions[471]: WARNING [ssh-iptables] Unban 210.13.64.18

CPU usage normal and no suspicious process ,

really · Post by **really** » Mon Apr 09, 2018 3:58 pm

darkworks wrote: ↑
Mon Apr 09, 2018 3:38 pm
i have not heard anyone bypassed Google Authenticator. its looks safe to me , also its not about perfect security , it add security layer , it slow down attackers a bit , better than nothing.

No, sorry, I disagree. That's maybe marginally useful for a situation where someone already has your password, and is now trying to log in to your account. For the type of exploit that happened here, Google Authenticator, along with fail2ban would be useless. There were no attempts to log in, the password was irrelevant. This was an exploit – a targeted way to gain access to a system which only requires 1 try.

And if it's not about perfect security, why put more road blocks in my way as a user as well? That's just inconvenience without benefit.

Vesta Control Panel - Forum

Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Re: Got 10 VestaCP servers exploited

Login • Register