All VestaCP installations being attacked

[dpeca]

There is nothing wrong with that code, just a secured way to check entered password.

But anyway, if I must assume where is a hole, login code, reset password and api.php are most suspicious places to me...

[pqpk2009]

There is nothing wrong with that code, just a secured way to check entered password.

But anyway, if I must assume where is a hole, login code, reset password and api.php are most suspicious places to me...

$ v_password value is
'; v-add-fs-file ********;
exec（VESTA_CMD。“v-check-user-password”。$ v_user。“”。$ v_password。“'”。$ v_ip_addr。“'”，$ output，$ auth_code）;

It seems that you can join shell.

[dpeca]

I will check now...

[dpeca]

Is this a loophole? Why not fix it? This is the latest installation package code.

------------------------- 8083/api/index.php

$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)

I can not find a code that you quoted in current version of that file - https://github.com/serghey-rodin/vesta/ ... /index.php
Actually, I can not find it even in other files.

From where you take it?
That could be a code from old versions of Vesta.

[pqpk2009]

Is this a loophole? Why not fix it? This is the latest installation package code.

------------------------- 8083/api/index.php

$v_password = tempnam("/tmp","vst");
$fp = fopen($v_password, "w");
fwrite($fp, $_POST['password']."\n");
fclose($fp);
$v_ip_addr = escapeshellarg($_SERVER["REMOTE_ADDR"]);
exec(VESTA_CMD ."v-check-user-password ".$v_user." ".$v_password." '".$v_ip_addr."'", $output, $auth_code);
unlink($v_password)

I can not find a code that you quoted in current version of that file - https://github.com/serghey-rodin/vesta/ ... /index.php
Actually, I can not find it even in other files.

From where you take it?
That could be a code from old versions of Vesta.

The latest installation package installed on my server, installed in September the 20th.

[pqpk2009]

Installation is based on official website steps.

[dpeca]

I installed Vesta before one hour, I can not find that code at all.
How it's possible that you get code that is fixed before 6 months?

[dpeca]

Can you install new server instance and check if you get that code in api.php ?

[pqpk2009]

The latest installation package installed on my server, installed in September the 20th.

hoster: hetzner
This code is installed on my server, and the installation date is about September 20, downloaded from the official website address

[pqpk2009]

I can confirm that the server was installed in September.

I am in China, it is 2 in the morning, I need to go to the office about 8 hours later to confirm again.