All VestaCP installations being attacked Topic is solved

[dpeca]

There are things called "callback" that connect from the inside to the outside giving a shell.

100% not true, because, if something ''inside'' is ''calling'', then all datacenters will be hacked - in Europe you have very big datacenters that is completly UNTOUCHED by this hack.
Why?
Because only OVH is scanned - keyword is SCANNED - because hacker is scanning IP rangs.
Otherwise, in case that something is ''calling from inside'', then all datacenters in Europe will be also 'burned' - which is not happening.

[eduzro]

Do you think that disabling vesta service + disabling the access to the default vesta port can prevent the hacking?

[L4ky]

So the vulnerability is in the web interface?

I protected vesta, roundcube and phpmyadmin with HTTP Basic Auth... that should be enough.

[dpeca]

Do you think that disabling vesta service + disabling the access to the default vesta port can prevent the hacking?

Not sure at all.
At this moment, at least I don't have any clue what is entry point.

[dpeca]

Not even sure it's related to Vesta.
For example, serious issue in kernel, published yesterday - https://access.redhat.com/security/cve/cve-2018-14634

[eduzro]

Not even sure it's related to Vesta.
For example, serious issue in kernel, published yesterday - https://access.redhat.com/security/cve/cve-2018-14634

I don't think it's because of this issue, as it first needs the access data of an unprivileged user (One of my servers which was hacked had only the admin user).

[dpeca]

I'm not saying it's related to kernel issue, just that I'm not 100% sure it's related to Vesta...

[lukapaunovic]

There are things called "callback" that connect from the inside to the outside giving a shell.

100% not true, because, if something ''inside'' is ''calling'', then all datacenters will be hacked - in Europe you have very big datacenters that is completly UNTOUCHED by this hack.
Why?
Because only OVH is scanned - keyword is SCANNED - because hacker is scanning IP rangs.
Otherwise, in case that something is ''calling from inside'', then all datacenters in Europe will be also 'burned' - which is not happening.

I think he is talking about the reverse shell.

http://pentestmonkey.net/cheat-sheet/sh ... heat-sheet

[dpeca]

The same arguments are still here - why EU datracenters is untouched then....

[itismejoey]

I've been on and off the phone with OVH for the last 24 hours. I was able to get into a rescue ssh mode of my server, but they will not restore the server back to normal (even with removing everything to do with Vesta. Does anyone know if this is anything to do with the same thing last April? I am being told not to reinstall Vesta at all until I know for sure that everything is fixed. Doesn't seem like anyone from Vesta has mentioned anything yet? I guess i'll follow this thread for more.