New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Does it lend any credibility to the Roundcube mentions previously? Like Roundcube would only be installed and accessible at /webmail if those were installed?
It might be multiple exploits wrapped into one. They might need roundcube installed to initially insert the file. Then they can use the password exploit to run the script as admin.
It's possible, true.
Vestacp break digitalocean
https://status.digitalocean.com/incidents/jzszyktwsrss
Been a while since I worked on a Sunday
>
RIP your week, just based on the comments still coming in on the FAQ. https://www.digitalocean.com/community/questions/how-do-i-determine-the-impact-of-vestacp-vulnerability-from-april-8th-2018
Regarding emergencies:
Any projects that are crucial and need to be online I can temporarily host on one of my reseller accs (cPanel) for the time being
No guarantees for anything though!
You handle the website transfer yourself!
Thank you for the kind offer.
Anytime! I'm not in the actual Hosting Business anymore (just webdev/design) but keep some resellers anyway so happy to help you guys out :-)
Many thanks for pointing this out @Harambe. Seems like I managed to shut down Vesta in time, so it's all good.
If anyone is looking for an alternative, I've been using I-MSCP for a while, it's pretty solid and has plenty of functionality (and is also more complicated than Vesta, which is why I went with Vesta). It's a fork of ISPCP, which in turn is a fork of VHCS.
A simple but surprisingly effective method to avoid a lot of exploits like this.
Or cyberpanel. Or centminmod.
For the first wave, yes, possibly, if the attacker is lazy enough / is just going for volume. But IPv4-wide all-port scans aren't difficult at all, and it usually won't take long until stuff on other ports gets hit too.
It's not laziness on the attackers' part it's in the attacker's interest to use their time to scan more machines than to scan all the ports on each machine.
It's that extra time that lets you apply the patch eventually released before your machine gets
compromisesd.
Just wanted to say I always find your posts a good read and it made me implement better security in the past. I agree, changing ports is in no way a security measure but it makes it just a little bit harder for attackers to target you which might just pull you out of the danger zone.
It's like using a non standard port for SSH. It's a good thing but if at the same time you still allow root login with a password you're not serious about security.
It's definitely laziness. Scanning the entire IPv4 space is so fast, that the difference between "scanning one port" and "scanning every port" is insignificant to anybody who actually cares about coverage. Seriously, the IPv4 space is tiny.
For IPv6 it gets trickier, but even for that, people are already working on ways to heuristically determine what addresses are worth scanning - unfortunately I can't find the article I'm thinking of right now, though.
Hopefully. In practice, sometimes it will save you for long enough to apply a patch, sometimes the second wave will come too quickly afterwards, sometimes it won't buy you any time at all. It's nice if it gives you a little more time, but you absolutely should not count on it ever doing so. It's by no means guaranteed.
tually released before your machine gets compromisesd.
Yes, you should certainly never count on it giving you any extra time, you should take protective action as soon as you
become aware of a problem.
Someone said to me, "The best control panel is no control panel".
Were you referring to this?
Let's face it, anyone panel can be fucked.
look at the bugs the cpanel had in the history.
backup is life
I don't run Vesta anymore but I don't see why people didnt block everything except their ip on Vesta login port. Least access principle
Shared hosting environments/DHCP Life?
I wouldn't consider any non paid CP to be worthy of reselling.
Been paying for cPanel for 3-4 years. Can't recall an incident like this...
Looks like their repos have been hacked: https://community.centminmod.com/threads/ouch-vestacp-servers-hacked.14469/#post-62154
There's so much conflicting information in those vestacp threads.
Anecdotally I have a box that was updated less than a week ago from repo, hosted at a large host that definitely had boxes targeted, and it's clean.
I believe @Falzo posted something similar on that thread as well - has a new install that's clean, but a couple of his older boxes were attacked.
¯\_(ツ)_/¯
so far I doubt this.
there has been one user reporting to be affected by that hack whilst claiming to have had the port 8083 restricted to his own IP. from this and the abscence of any log entries he jumped to the conclusion in the quote above, namely that the repos must have been hacked/at fault.
if that would be the case, I'd really like to know, how that system got any signal/command to actually install and start the trojan. and if that was not externally, there would have been the need to somehow schedule it or use some of the internal cronjobs or whatever...
I do have a fresh vesta install from april 2nd which had the port open and has not been hacked nor shows any suspicious signs or preparations. two other pretty comparable systems set up on Feb 27th and Mar 28th on the other have been hit. does not look like a pattern with relation to the repos though.
also the attack most likely would not have stopped after providers started blocking port 8083 ... just my opinion though.
exactly. I have about 25 vesta installs, from very old to very new. only two have been hit, one at hetzner, one at webtropia. none at OVH (where there are the most of it). so even the IP range scanning theory seems to be quite... guessy.
but I was quite early in containing it thanks to your posting which made me aware of that issue. so maybe I could shutdown the vesta services on most of the servers just in time (only if one believes that blocking port 8083 has something to do with it though ;-))
TL;DR; I still think this was a straight forward attack to the API with an injection of malicious code through unescaped POST vars.
sadly getting evidence and esp. the chance to prove that the patch is really fixing that issue might be a long way to go as long as there are no new occurences and hits to the honeypots in place.
until then opinions on the matter will still be like arseholes - everyone's got at least one.
https://www.zero-day.cz/database/452/
Heads up: Vesta appears to be restarted by /usr/local/vesta/bin/v-update-sys-vesta-all overnight, probably after applying the update:
Iptables seems to be the best approach for now in case you don't fully trust their update like I do.
iptables -A INPUT -p tcp --dport 8083 -j DROP>
Now someone claims they only got hacked after upgrading to the patched version... so who knows anymore.
I wouldn't exclude the option that the hackers themselves posting in that thread trying to derail the investigation as much as possible.
/takes tinfoil hat off