We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
All VestaCP installations being attacked Topic is solved
Re: All VestaCP installations being attacked
I too do not see an insult here. While being a developer myself I do understand that sometimes communication during stressful situations may be hard to maintain, but it is really important to keep people trusting you and your project.That's being said, VestaCP is amazing as a whole but communication with its users should really be improved.albertus wrote: ↑Fri Oct 19, 2018 4:48 pmExcuse me, I don't think there were any insults from Falzo and I agree with him. It's a shame how you dealt with this problem. Nobody should keep trusting any of you as you're not capable of communicating properly. Keeping silence and hiding yourself doesn't help. I truly suggest you to decide if you really want to continue mantaining Vesta, as you don't seem capable for such a task.imperio wrote: ↑Fri Oct 19, 2018 9:49 amFalzo, stop the insults. We have all said in this thread.
More information you can find here
https://www.welivesecurity.com/2018/10/ ... installed/
In the next time I'll give you a warning.
-
- Posts: 4
- Joined: Sat Oct 20, 2018 2:05 am
- Os: CentOS 6x
- Web: apache + nginx
Re: All VestaCP installations being attacked
Just noticed I've been attacked. Have not found the files listed as affected, nor rkhunter found any malware (though some warnings)...
The attacked modified my sudoers configuration and changed admin password, not allowing the vestacp to be updated, this alerted me (700+ emails saying that the user needs a password to execute some files).
Already updated my system and changed passwords, but I don't know what else to check
The attacked modified my sudoers configuration and changed admin password, not allowing the vestacp to be updated, this alerted me (700+ emails saying that the user needs a password to execute some files).
Already updated my system and changed passwords, but I don't know what else to check
Re: All VestaCP installations being attacked
My procedure with OS Ubuntu 16.04 LTS.
The first thing I've done has been to change admin and root passwords.
Later, I have seen that my server has /usr/bin/dhcprenew.disabled and /etc/init.d/dhcprenew.disabled files. (why extension .disabled? no idea).
I have deleted both.
Too I have symbolics links:
Then, I have installed rkhunter:
- sudo apt-get install rkhunter
I run it so:
- rkhunter -c
Check if would there are warnings.
In my case it only warns me that root has ssh access, when it not possible really.
The first thing I've done has been to change admin and root passwords.
Later, I have seen that my server has /usr/bin/dhcprenew.disabled and /etc/init.d/dhcprenew.disabled files. (why extension .disabled? no idea).
I have deleted both.
Too I have symbolics links:
I have delete all of them.lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc1.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc2.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc3.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc4.d/S01dhcprenew -> ../init.d/dhcprenew
lrwxrwxrwx 1 root root 19 sep 24 09:36 /etc/rc5.d/S01dhcprenew -> ../init.d/dhcprenew
Then, I have installed rkhunter:
- sudo apt-get install rkhunter
I run it so:
- rkhunter -c
Check if would there are warnings.
In my case it only warns me that root has ssh access, when it not possible really.
Re: All VestaCP installations being attacked
Because dhcprenew it's a virus and VestaCP renamed this file after upgrade to 0.9.8-23Later, I have seen that my server has /usr/bin/dhcprenew.disabled and /etc/init.d/dhcprenew.disabled files. (why extension .disabled? no idea).
viewtopic.php?f=25&p=73942#p73942
Security check for/usr/bin/dhcprenew binary. If found checker notifies server administrator
Re: All VestaCP installations being attacked
I have just executed
sudo find /etc/ -name "*dhcprenew*"
And no file are listed.
Does it means I have not been atacked?
sudo find /etc/ -name "*dhcprenew*"
And no file are listed.
Does it means I have not been atacked?
Re: All VestaCP installations being attacked
No, I don't have any of them
Re: All VestaCP installations being attacked
With your server all fine.
Re: All VestaCP installations being attacked
more attention should be paid to security.