All VestaCP installations being attacked

Post by **dpeca** » Wed Oct 10, 2018 9:54 am

pqpk2009 wrote: ↑
Wed Oct 10, 2018 9:51 am
This is the email sent by the German security agency. The other two infected servers are PM.

I know, because I get the same email when I forget to close NFS ports.
But that mail is just warning to you to close NFS ports.

pqpk2009 · Post by **pqpk2009** » Wed Oct 10, 2018 10:01 am

ScIT wrote: ↑
Wed Oct 10, 2018 8:03 am

pqpk2009 wrote: ↑
Wed Oct 10, 2018 8:01 am
SSHD permissions were closed, but there was still an attack.

Problem finding procedure

/usr/local/vesta/nginx/sbin/vesta-nginx
was this a new attack? if yes, please send us server access using pm.

I have sent PM server root information.

Tell me your IP, I add it to SSHD.

Post by **imperio** » Wed Oct 10, 2018 11:57 am

Alls who servers was hacked, let us know when your servers was installed.

flanders · Post by **flanders** » Wed Oct 10, 2018 1:13 pm

my server was installed in september.
Then I rebuild it changing the panel port ( I already used custom ssh port, access ssh with key, access without password). From my last change (panel port) it is working well.
I'm using hetzner with centos 7 / apache+nginx+php7.2+mariadb10.3+csf

pqpk2009 · Post by **pqpk2009** » Wed Oct 10, 2018 2:17 pm

/usr/bin/dhcprenew

My infected server does not have this file.

Post by **ScIT** » Thu Oct 11, 2018 7:06 am

pqpk2009 wrote: ↑
Wed Oct 10, 2018 2:17 pm
/usr/bin/dhcprenew

My infected server does not have this file.

The 2 we checked had it.

kandalf · Post by **kandalf** » Thu Oct 11, 2018 8:51 am

pqpk2009 wrote: ↑
Wed Oct 10, 2018 2:17 pm
/usr/bin/dhcprenew

My infected server does not have this file.

But how do you find that the servers were infected?

Falzo · Post by **Falzo** » Thu Oct 11, 2018 10:36 am

so anything new on that? from what we can read so far here, is that only a few servers have been hit and the attacker somehow gained ssh access?
some had the vesta service running, some not... if that's the case a potential hacker would have needed to somehow get to know the admins password?

to those affected: do you allow admin for ssh access (default) and/or did you change the admin password after installation?

I haven't been affected this time (yet) and now am guessing that could be just because I don't allow admin for shell access...
BUT if the scenario is right, the (my) passwords could still be compromised, right? I don't like that idea.

eduzro · Post by **eduzro** » Thu Oct 11, 2018 12:15 pm

My server was hacked in september. The Vesta service was running and I had SSH access enabled just for the admin user. I set the password with the installation command. I don't know if the file /usr/bin/dhcprenew was in the server.

Post by **imperio** » Thu Oct 11, 2018 1:12 pm

flanders,
Thank you for the information
eduzro, when your server was installed ?

Vesta Control Panel - Forum

All VestaCP installations being attacked Topic is solved

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Re: All VestaCP installations being attacked

Login • Register