New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
as the nginx that's used for accessing the control panel itself and the API does not log access at all but instead sends those data to /dev/null you won't be able to find the needed information on system that has been compromised before the issue become known anyway.
luckily some people already were able to set up honeypots with logging and one even managed to confirm that there are accesses to the API, though sadly the POST data wasn't logged and it has not been revealed yet, what injection exactly happened.
so far I'd assume that deactivating/removing the api folder/php script might be the easiest way to disable any new attacks while keeping the main interface up and usable for the clients. no guarantue though, waiting for more input on the possible POST calls. set up a honeypot myself, maybe I get lucky to catch something ;-)
Yeah that one is pretty hilarious, no logs for the API, at all. lol
OMEGALOL
https://github.com/serghey-rodin/vesta/commit/3fdee2975db0c80419a0dfefff3c10a2c4de6410
what the fuck ?
Pheww. just saw the post here.. Luckily i had changed vesta's API port and it was behind a firewall too.. didnt find any gcc.sh yet.
but turned it off as a pre caution. Thanks for sharing.
That's not true. Logs of expected actions for the API, actions taken as intended through the API, are extensively logged.
What wasn't logged there was what might be unexpected, the overflow.
If you read, the necessary logs weren't being recorded, at all, therefore it's much harder to trace the attack vector.
oof
If you read, there is no confirmation as to what logs are necessary :P
I removed VestaCP somewhat years ago already. My provider at that time, Swiftway just banned the use of it after my server was compromised. Bought a DirectAdmin license. I liked it, so after some months I bought two life time licenses. All fine.
Won't stop using it, still a nice enough panel, shit happens. I mean, it's worth what I pay for it.
Limit access to admin panel via IP, reverse proxy admin panel with nginx and another layer of password auth, etc.
It's a great panel, so hopefully some users smarter than myself can pick apart the security and help lock it down.
@jarland is right, as he already pointed out API auth should be logged and every vesta command that's called will add an entry into the syslog.
most likely the (hacking) api request didn't need to auth at all, but was able to inject the malicious code at such an early stage that nothing made it into those logs.
sadly if it is an code injection via vulnerable POST vars, even with access-logs available all you'll see is the request to the API itself - just like it would be with such attacks vs any other PHP script. apache or nginx won't log the content of the POST request anyway...
seems like still no one really knows the content of those POST calls yet, so the new commit they released might not be an exact fix. hardening should never be wrong though.
I am going to monitor closely and probably take on the risk to bring back the interfaces only slowly with deactivated API tomorrow.
as @Lee said, still good for what one has to pay for it :-D
most panels do cost money or offer tons of complicated features only a handful of people really make use of. I wouldn't even need a panel myself for personal stuff, but for clients Vesta provides an easy and clean way to give access e.g. to set up a mail-address or database by themselves without to much hassle.
Patch was just released, hard to tell if this is the final fix though:
https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=260#p68893
>
Also:
Famous last words there Vesta team...
@MasonR (or another mod), could you give me edit privs on the OP again? Want to update to include the patch info. Or if you could just drop that block + link to VestaCP forum I posted 2 comments ago into the bottom of my post, and maybe update thread title with [Patch Released], would be appreciated!
Unfortunately Vanilla doesn't give us many options regarding permissions, so I updated the OP and title. Give me a shout if you'd like anything changed/added.
@MasonR Nope, that's perfect, thanks dude. Just didn't want the update buried on page 3.
Really. Like tmobileat?
Fair enough. Nevertheless its design doesn't seem to be right.
Note that access log isn't everything. There should be an extra logging mechanism/verbose, eg WHMCS module logs.
I am going to err on the side of caution and upgrade, but keep the vesta panel down. It might be suggestible for you all to follow as well.
I'm sure they're not making cPanel money but they do sell commercial addons and support packages. Plus they have a few corporate sponsors.
I have no idea but got a feeling that such income is far from enough to cover a proper security firm to review the whole code. Plus, its open source so anyone can review it and contribute. Maybe this time they will allow other people to contribute to their code.
I can't escape the feeling that this patch addressed security complaints that resulted from the compromises and not the actual attack vector. It seems odd that the community so quickly jumped to conclusions that matched the cause when no one could confirm the cause.
Perhaps I'm wrong. But I'd like to know the cause and how the patch addressed it, someone knows the cause enough so that no one is safe so it's not important that it remain hidden.
Yeah, I did the same thing. I don't know if the patch actually addressed the issue or was just another security-related patch, I don't think anyone can know until a honeypot intercepts it.
Exactly, and from what I gathered no one caught those actions from what I saw on the forum.
Thanks for this topic
100% agreed.
Interesting..
https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=280#p68923
Yeah that's coincidence for sure. Exim and Dovecot do not run as any account that has those kind of privileges.