Got 10 VestaCP servers exploited

[Mark O Polo]

It has been about a month since the 1st post regarding the exploited servers.

At a result of the exploits, one patch was issued. We also know some of the code was reviewed by Rack911labs (Patrick) and he noticed several root compromise vulnerabilities (6).

I know that many users are running with the panel down until there is a general consensus that everything that can be reasonable done is complete.

Can we get a status regarding the dev teams findings and if there are other patches soon to be released?

As always, appreciate your work on the project and security hardening.

[ScIT]

+1!

[DarthVader]

+1

[RevengeFNF]

It has been about a month since the 1st post regarding the exploited servers.

At a result of the exploits, one patch was issued. We also know some of the code was reviewed by Rack911labs (Patrick) and he noticed several root compromise vulnerabilities (6).

I know that many users are running with the panel down until there is a general consensus that everything that can be reasonable done is complete.

Can we get a status regarding the dev teams findings and if there are other patches soon to be released?

As always, appreciate your work on the project and security hardening.

I would also like to have news about this.

[Farrow]

I haven't used it since and won't until I'm sure it's been patched fully, It worries me that no one knows for sure how the panel became exploited in the first place. We have had little information on the progress of fixing the vulnerabilities that have been reported which I feel is very important. Vesta was a good little panel but the list of vulnerabilities makes it unusable for me.

[kobo1d]

yea. i have kept my panel shutted down too.

news are very welcome!

[imperio]

New release with mass security fixes will in Monday or Tuesday
Now we are thinking about the roundcube

[sohail_sandy]

Hello!

Today I was surprised to discover that 10 of our customers servers were being exploited (attacking a chinese IP). All these servers have nothing in common but the fact they all run VestaCP. None of my non-VestaCP servers were affected.

I would like to ask if anyone was also affected. Any chance there's a VestaCP vulnerability being exploited in the wild?

Thank you in advance

Kindly, Albertus

Yes. The server has just gone down. Nobody was able to login to my website and when I tried to log into vestacp dashboard, it also failed. After I SSH into the server, I found that there was no space left on the server. And after a couple of minutes, Digitalocean deactivated networking.

Right now my website is down.

[paulokruz]

I found this entrys in negix error log:

Code: Select all

2018/05/11 16:24:21 [error] 3422#0: *50 open() "/usr/local/vesta/web/sdk" failed (2: No such file or directory), client: 159.203.250.164, server: _, request: "POST /sdk HTTP/1.1", host: "my_domain_name.XXX:8$
2018/05/11 16:24:31 [error] 3422#0: *53 "/usr/local/vesta/web/profilemanager/index.php" is not found (2: No such file or directory), client: 159.203.250.164, server: _, request: "GET /profilemanager/ HTTP/1$
2018/05/11 16:25:16 [error] 3422#0: *135 open() "/usr/local/vesta/web/sdk" failed (2: No such file or directory), client: 159.203.250.164, server: _, request: "POST /sdk HTTP/1.1", host: "my_domain_name.XXX:$
2018/05/11 16:36:49 [error] 3422#0: *1918 open() "/usr/local/vesta/web/Portal/Portal.mwsl" failed (2: No such file or directory), client: 159.203.250.164, server: _, request: "GET /Portal/Portal.mwsl?PriNav$
2018/05/11 16:50:30 [error] 3422#0: *6691 open() "/usr/local/vesta/web/db" failed (2: No such file or directory), client: 159.203.250.164, server: _, request: "GET /db HTTP/1.1", host: "my_domain_name.XXX:80$

Seems calls from my domain url.

It's related to exploited ?

[imperio]

Not related