All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
The problem with all this is that if we start sharing too much info about our configurations we are making things easier to anyone willing to repeat a similar attack.Maverick87Shaka wrote: ↑Thu Sep 27, 2018 9:07 am@realjumy can you try to edit you original post adding a poll asking the infected server? Maybe It's help to understand how many server was infected.
Just a simple question on Number of server infected, and people select how many of their server was infected ;)
Try to disclose as less as possible in public, and write in private to [email protected]. They are the ones that can really fix it.
Re: All VestaCP installations being attacked
How should I repair it?realjumy wrote: ↑Sat Sep 29, 2018 12:49 amThe problem with all this is that if we start sharing too much info about our configurations we are making things easier to anyone willing to repeat a similar attack.Maverick87Shaka wrote: ↑Thu Sep 27, 2018 9:07 am@realjumy can you try to edit you original post adding a poll asking the infected server? Maybe It's help to understand how many server was infected.
Just a simple question on Number of server infected, and people select how many of their server was infected ;)
Try to disclose as less as possible in public, and write in private to [email protected]. They are the ones that can really fix it.
Re: All VestaCP installations being attacked
The problem is that we don't know yet how to repair it. The only thing you can do is downloading the backups and double checking that they are updated (I noticed the last backups I had were created on May).pqpk2009 wrote: ↑Sat Sep 29, 2018 5:51 amHow should I repair it?realjumy wrote: ↑Sat Sep 29, 2018 12:49 amThe problem with all this is that if we start sharing too much info about our configurations we are making things easier to anyone willing to repeat a similar attack.Maverick87Shaka wrote: ↑Thu Sep 27, 2018 9:07 am@realjumy can you try to edit you original post adding a poll asking the infected server? Maybe It's help to understand how many server was infected.
Just a simple question on Number of server infected, and people select how many of their server was infected ;)
Try to disclose as less as possible in public, and write in private to [email protected]. They are the ones that can really fix it.
You need to install a fresh server and upload only the files after checking carefully for virus and other rubbish.
But all that doesn't warranty right now that your server will be safe. Not yet.
Re: All VestaCP installations being attacked
This loophole appeared in April, and it still exists. I think there is no hope!!!realjumy wrote: ↑Sat Sep 29, 2018 11:58 amThe problem is that we don't know yet how to repair it. The only thing you can do is downloading the backups and double checking that they are updated (I noticed the last backups I had were created on May).pqpk2009 wrote: ↑Sat Sep 29, 2018 5:51 amHow should I repair it?realjumy wrote: ↑Sat Sep 29, 2018 12:49 am
The problem with all this is that if we start sharing too much info about our configurations we are making things easier to anyone willing to repeat a similar attack.
Try to disclose as less as possible in public, and write in private to [email protected]. They are the ones that can really fix it.
You need to install a fresh server and upload only the files after checking carefully for virus and other rubbish.
But all that doesn't warranty right now that your server will be safe. Not yet.
Ready to imitate VESTA to write API function, I use it myself.
-
slaapkopamy
- Posts: 12
- Joined: Sun Sep 03, 2017 5:43 pm
- Contact:
- Os: Debian 7x
- Web: apache + nginx
Re: All VestaCP installations being attacked
for the peeps who are using proxmox, if you running in a lxc without a firewall from proxmox then its a good idea to seal it off that only the ports what you are using make it open or semi open for incoming and outcoming traffic. And set your rate limit to like 25mb/s.
I did it after my ip address got blocked by ovh and after installing the firewall and changed root password + vesta port there is not yet any ip blocks.
Its not the solution but its a tempory idea
I did it after my ip address got blocked by ovh and after installing the firewall and changed root password + vesta port there is not yet any ip blocks.
Its not the solution but its a tempory idea
Re: All VestaCP installations being attacked
damn. Woke up this morning and 5 of my servers have been compromised.
Re: All VestaCP installations being attacked
I want to take a look to this issue too.
The better way to handle vesta security is deny access in /etc/hosts.deny and /etc/hosts.allow to vesta panel and ssh, prevent acess
The better way to handle vesta security is deny access in /etc/hosts.deny and /etc/hosts.allow to vesta panel and ssh, prevent acess
Re: All VestaCP installations being attacked
That April 'hole' is fixed.
Believe me.
Hole from Jun is also fixed (api.php).
This is probably third hole, and my assumption is that some PHP script on 8083 port is vulnerable.
I advice to stop vesta service until we definitely find it and fix it.
Re: All VestaCP installations being attacked
Is this a loophole? Why not fix it? This is the latest installation package code.
------------------------- 8083/api/index.php
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)
------------------------- 8083/api/index.php
$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)