All VestaCP installations being attacked Topic is solved

[kandalf]

How can we know if our server is compromised?

if this file /usr/bin/dhcprenew exists on your server it means that it is hacked

Thank you very much, this was exactly what I was looking for.

My server are safe.

[pksh71]

hi

My 3 servers at Hetzner also Hacked yesterday. hacker used it DDOS to a chines IP.
its service vesta was off.

what can i do?

[mehargags]

Send access to your server to vesta team so we can check more

[pqpk2009]

SSHD permissions were closed, but there was still an attack.

Problem finding procedure

/usr/local/vesta/nginx/sbin/vesta-nginx

[ScIT]

SSHD permissions were closed, but there was still an attack.

Problem finding procedure

/usr/local/vesta/nginx/sbin/vesta-nginx

was this a new attack? if yes, please send us server access using pm.

[neto737]

Keep your servers safe, use keyfile instead password for SSH, and disable login with password. You can also change default SSH port. I’ve done it and everything is ok with my server.

[pqpk2009]

SSHD permissions were closed, but there was still an attack.

Problem finding procedure

/usr/local/vesta/nginx/sbin/vesta-nginx

was this a new attack? if yes, please send us server access using pm.

> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | *.*.*.* | 2018-10-09 06:41:17 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> 24940 | *.*.*.* | 2018-10-09 06:56:55 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;

[dpeca]

SSHD permissions were closed, but there was still an attack.

Problem finding procedure

/usr/local/vesta/nginx/sbin/vesta-nginx

was this a new attack? if yes, please send us server access using pm.

> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | *.*.*.* | 2018-10-09 06:41:17 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> 24940 | *.*.*.* | 2018-10-09 06:56:55 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;

Dude, this does not look as attack to me.
If you leaved NFS ports open, Hetzner will just warn you.
It does not mean that server did any attack.

[pqpk2009]

was this a new attack? if yes, please send us server access using pm.

> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | *.*.*.* | 2018-10-09 06:41:17 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> 24940 | *.*.*.* | 2018-10-09 06:56:55 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;

Dude, this does not look as attack to me.
If you leaved NFS ports open, Hetzner will just warn you.
It does not mean that server did any attack.

This is the email sent by the German security agency. The other two infected servers are PM.

[pqpk2009]

> Format: ASN | IP | Timestamp (UTC) | RPC response
> 24940 | *.*.*.* | 2018-10-09 06:41:17 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;
> 24940 | *.*.*.* | 2018-10-09 06:56:55 | 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp; 100000 4 111/udp; 100000 3 111/udp; 100000 2 111/udp;

Dude, this does not look as attack to me.
If you leaved NFS ports open, Hetzner will just warn you.
It does not mean that server did any attack.

This is the email sent by the German security agency. The other two infected servers are PM to ScIT.