We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
Got 10 VestaCP servers exploited
-
- Posts: 21
- Joined: Tue Sep 05, 2017 12:39 pm
Re: Got 10 VestaCP servers exploited
THanks @wildwolf
How to chmood /var/log/httpd
drwx------ 2
Best Regards
How to chmood /var/log/httpd
drwx------ 2
Best Regards
-
- Posts: 21
- Joined: Tue Sep 05, 2017 12:39 pm
Re: Got 10 VestaCP servers exploited
ANd what is the attributes for the
/var/log/httpd/domains/
Best Regards
/var/log/httpd/domains/
Best Regards
Re: Got 10 VestaCP servers exploited
MiguelVESTACP wrote: ↑Tue Apr 10, 2018 7:52 amTHanks @wildwolf
How to chmood /var/log/httpd
drwx------ 2
Best Regards
Code: Select all
chmod 0700 /var/log/httpd
Re: Got 10 VestaCP servers exploited
it was many little files with strange content, inside folders starting with "systemd" but it was not coming from the virus.
i checked and double-checked that it has nothing todo with it.
i had the idea because the virus started spreadign via systemd first.
but systemd is clean now.
and i just filled out the poll. only similar thing i could figure from it, is that i had the roundcube on the default /webmail path.
pleas dont tell me its coming from there.... i was so close to disable this crap, but my clients forced me to have their webmail.......
Re: Got 10 VestaCP servers exploited
Any chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?
All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.
Re: Got 10 VestaCP servers exploited
+1 , the complete way the exploit happened should be made public so that there is a chance to verify that the actions taken are sufficient and also enable to do more auditing to see if there are similar things which could become a problem in the future.Harambe wrote: ↑Tue Apr 10, 2018 10:10 amAny chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?
All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.
Re: Got 10 VestaCP servers exploited
My servers weren’t affected. But my answers are:kobo1d wrote: ↑Mon Apr 09, 2018 3:55 pm1) yesvishne0 wrote: ↑Mon Apr 09, 2018 3:51 pmThere are few things I want to know if someone can please reply
1) The hacked server were running ssh on port 22 ?
2) Allow root to login were on?
The above two questions will sort few things. I will post my report once I will have answers. Also if anyone need any help to clean the server or migration ping me. Cleaning will be free :)
Regards
2) no - no password login and no root user - no pam
i am using pubkeys
1) No
2) Yes
I used a different SSH port (not the default 22). But the Vesta webGUI was on the default port 8083.
Re: Got 10 VestaCP servers exploited
I'd like to see a proper statement too. What was the outcome of the investigation by the Admin. @skurudo? This doesn't tell me much - on the one hand it says there wasn't a problem, but we know there is/was a problem. What was the problem and is the installation script 100% secure now?Harambe wrote: ↑Tue Apr 10, 2018 10:10 amAny chance of a proper statement being released on how this patch fixes the vulnerability? Were any specific (confirmed) details collected on the attack vector?
All I really saw was a lot of speculation on what the problem COULD be, and a security patch released for those concerns, but I never saw any solid evidence on exactly how the hacks were performed and how the security release remedies that.
Re: Got 10 VestaCP servers exploited
+1 i would love to have a full and clear overview of what happend.
i want to understand and learn from it. everybody can do a fail sometimes, it doesnt matter whos fault it was.
but please give us mor infos!
also, when i updated my debian 9 yesterday while you fixed the deb rep -> is there any difference to how it looks today?
i mean if the update succeeded yesterday, do i have all recent files now? or are there again changes in deb rep from yesterday to today?
and is vesta now 100% secure or should we better leave webmail disabled for now (since you asked about in the poll)
and is it better to leave the vesta service stopped for now?