New on LowEndTalk? Please Register and read our Community Rules.
VestaCP again hacked. UPDATE IMMEDIATELY!
codetech12
Member
in General
As many of you must be running Vesta control panel, I just wanted to warn you all that servers running it are getting hijacked. We have already updated our servers and checked also if they have been hijacked.
Last time, Vesta servers were participating a botnet and 4 of our servers were responsible for a huge downtime/network disruption at Contabo according to their team xD.
If you are noticing sudden slow response on your server, this could be the source.
This tutorial can be followed to fix it https://admin-ahead.com/forum/server-security-hardening/unix-trojan-ddos_xor-1-chinese-chicken-multiplatform-dos-botnets-trojan/
Thanked by 1intovps
The end is far away... 
LowEndBox & LowEndTalk.
Comments
This is the command to update vesta /usr/local/vesta/bin/v-update-sys-vesta-all
Restart it afterwards - service vesta restart
The end is far away...
And you say the end is far....
Yeah, right. Embrace the truth and join the cult.
Have you sued your host yet? Do it now.
cPanel must be really happy ;-)
Clouvider Limited - Leading Hosting & Connectivity Partner || Dedicated Server Sale from £39/m - Our Latest LET Offer
Cloud Web Hosting | SSD & SAS HA OnApp VPS | US, UK, NL & DE Dedicated Servers | Network Services | Colocation | Managed Services
People like me exist who can tackle this and find a solution. Join us
The end is far away...
https://forum.vestacp.com/viewtopic.php?f=25&p=71465#p71465
"Security fix for API hash check"
Sounds bad.
metaDedi, Dedicated comparison table
NanoKVM | Free NAT KVM | Apply here
Pakistani hackers exist
The end is far away...
while trying to add a fix to the authentication stuff that's happening before api access back in april, they missed/forgot an 'else' ... rendering the whole auth check useless if user and hash was omitted in the post request. free api for everyone...
in addition to this there is another security hole in one of the cli scripts which was then used to execute code on the system itself. add that to the ability to access the api and you're good to go.
so far the impact this time seems to be low, afaik only one user reported that he had a miner deployed in tmp and running.
but from what I have seen the last fix only patches that api problem and not the issue in the cli script that has been used.
those patches get deployed on the servers automatically at night, so at least this api problem should be solved for now. other holes - not so much.
UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)
They mentioned previously in the April update that they knew about the bug but never even bothered to fix it. And for the updates part, they hardly used to roll update 1-2 times in a year. They used to promise an update and used to release it months later than the date promised.
This is one reason why we shifted to cPanel.
And definitely the impact seems to be low this time.
The end is far away...
cPanel over VestaCP anyday. At least when cPanel gets hacked by a zero day there is an excuse, is paid software.
Also check your VESTA admin passwords and of course the LOG at the GUI, for strange action records.
I missed something...why is Pakistan relevant?
For LET support, please visit the support desk.
When looking for a free panel imho ISPconfig is the way to go. Appears to be very stable and athough I agree Vesta has been smoother usage wise, a stable panel is also worth a lot. ISPconfig even comes with a free script installer that supports wordpress.
Uptime.is , 1Fichier Review, Ympker's VPN LTD Comparison Chart , Contabo Review, Shared Hosting/Reseller Comparison Chart, Shared Uptime
Thankfully I stopped using VestaCP a while ago before those incidents. So Happy lol. I've been using CentMinMod & CyberPanel since then. Highly recommend CMM!
UpCloud - Get started with $25 in credits when you sign up today! - Referral
Does it mean that all Vesta hosting is free for now? Just upload your script and enjoy it, no checkouts, MaxMind checks and money changing hands.
l o w e n d p a r a d i s e
For discovering and making hacking tools like this one https://toxicmask.blogspot.com/2016/12/how-to-hack-cpanel-manual-cpanel.html
I remember, some years ago when I was providing free hosting. The same script was uploaded to my server and the only reason I had to stop providing free hosting at that time.
The end is far away...
Probably, but all the hijacked servers are participating in a botnet
The end is far away...
Also, if you check some Pakistani seo groups on Facebook, you will see every week hacks being posted publicly (not particularly cPanel). They had once even posted about their hacking attempts and even felt proud because of it.
The end is far away...
Oh my...
Oh boy, an easy mistake to make for sure, but should have been caught a lot earlier. Having an issue this big (70000+ servers found on censys), could have lead to some serious issues. I wonder if it was being exploited in the wild or no one really picked up on it prior to the patch.
They have a paid bounty system at this point so you don't see 0 days in the wild these days, there's good money in disclosing (usually).
Francisco
BuyShared - Shared & Reseller Hosting / cPanel + Softaculous + CloudLinux / Pure SSD! / Free Dedicated IP Address
I have been trying to buy a VPS from your site from a very long time. It always says out of stock. When will it b in stock?
The end is far away...
One word: Bribe.
Have you sued your host yet? Do it now.
lol
The end is far away...
Well, I guess VestaCP will slowly die at this rate
"They said it's RAID 5" - geekypixal
Problem is, VestaCP's team is sleeping all the time and even if they know about any issue, they will still keep sleeping until there is an emergency.
The end is far away...
inb4 VestaCP leave these issues to abuse them themselves until someone reports it Conspiracy hat
I would not say themselves, but they may be getting paid to do it for someone. It's free software, and after several years, they probably found a good way to monetize their previous efforts.
"They said it's RAID 5" - geekypixal
Any free alternative that has easy backup-restore like vestacp? I often moving accounts between servers (thanks to LET deals)
Can we have the title changed. There is no evidence as of current that any servers have been hacked with this new exploit? It is hasn't been seen in the wild. All my servers seemed fine and without anything to worry.
question or statement ? web host on WHT has reported customers affected by this https://www.webhostingtalk.com/showthread.php?t=1717479&p=10047096#post10047096
* Centmin Mod LEMP Stack Quick Install Guide
Just use Virtualmin
Strike 2!
grape
Its likely that your servers auto updated before people got to them, I assume it wasn't exploited pre-fix but my honeypot saw some attempts once the patch went live.
Iirc ispconfig has backup-restore feature
Uptime.is , 1Fichier Review, Ympker's VPN LTD Comparison Chart , Contabo Review, Shared Hosting/Reseller Comparison Chart, Shared Uptime
Lucky I stop using vesta since the last exploit on april. And now, using ispconfig. So far, so good.
http://webuzo.com - their backup/restore feature works flawlessly!
They have the free version as well as paid. Although there isn't any backup/restore feature for the FREE version (http://webuzo.com/compare) but they have it for the paid version.
VPS monthly license is $2.5/mo http://webuzo.com/pricing
Artnet - Poland (Gdańsk) based instant setup express dedicated servers & cloud VPS
ExoticVM.com - Find VPS in exotic locations! - Discussion Thread
Pretty common for hosting-related software unfortunately, paid and free. Absolutely no regression testing, nor even automated tests of security-critical code, and typically code that's structured such that these kind of mistakes are stupidly easy to make.
This kind of issue could have been wholly prevented with proper development practices.
EDIT: To be clear, that does not mean that all issues could have been prevented. I'm just talking about this specific one.
Node.js code review, tutoring and advice | Custom Node.js module development | Donate
"professor 200 IQ" -YokedEgg
https://cyberpanel.net/ FTW! And here is the LET thread.
RC5 cracker since 1998!
Will check what have been suggested, thanks guys. Hopefully I can install what's necessary only. Another things I like about vestacp is I can select what service to install (without mail and dns, for example)
welp
ik moet poepen
Geez, I'm half tempted to do a bit of a penetration test on this app, almost sounds as bad as zPanel ;-)
Security Consultant
It does, doesn't it? At least the maintainers don't seem to be arrogant twats, though, unlike with zPanel...
Node.js code review, tutoring and advice | Custom Node.js module development | Donate
"professor 200 IQ" -YokedEgg
Why is everyone still hostage to this buggy panel?
Take your data and run to Virtualmin LEMP minimal (pass "--minimal --bundle LEMP" to virtualmin installer script.)
ref: https://www.virtualmin.com/documentation/installation/automated#toc-lamp-vs-lemp-7YxCS8LI
1TB Backup-KVM (US) €4.25/mo 2GB Ram!
(affiliate for 🥰 ) https://clients.inceptionhosting.com/aff.php?aff=401&pid=194
It is opensource. Maybe you contribute and get these issues fixed...
The end is far away...
to my knowledge zPanel was renamed Sentora Panel which has not been updated since 2015
The end is far away...
I was/am interested in doing some contribution to vestacp. It is a promising panel. But there are few things I never liked about it.
However, I've made commits to CyberPanel and it's even more promising
But more features may often mean more possible exploits.
"Just contribute a patch" is rarely the answer to issues like this. Like I mentioned above, in a reasonable development process this vulnerability should never have existed; this isn't an isolated incident, it's indicative of a process issue.
The problem with process issues is that you can't make PRs to fix them. Trying to contribute patches to issues will just result in perpetually chasing issues, because new ones are being created faster than you could possibly fix them.
In those situations, it's more useful to focus your attention on a project that doesn't have the process issues, rather than pouring endless amounts of time into an effectively doomed project. Know when to cut your losses and all that.
In a way. Sentora is technically a fork, I believe.
Node.js code review, tutoring and advice | Custom Node.js module development | Donate
"professor 200 IQ" -YokedEgg
A quick browse at their forum reveals some dude with 110 servers hacked to mine coins.
Have you sued your host yet? Do it now.
lenk plox
The end is far away...
English only please.