Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Take Heed! (( VestaCP! ))
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Take Heed! (( VestaCP! ))

AlyssaDAlyssaD Member
edited October 2018 in General

Quote from Devs on forum: https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=180#p73907

@Falzo made the initial discovery it seems. You can see it here: https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=160#p73881

Long story short, VestaCPs repository got hacked and was used as a relay for passwords being sent by an altered script during the install. Make sure to double check that you aren't on the list.

Also double check to make sure that /usr/bin/dhcprenew doesn't exist on your server. If it does double check with strings /usr/bin/dhcprenew

http://vestacp.com/test/?ip=127.0.0.1

p.s. I used images instead of copying the text because cloudflare is a butt.

Thanked by 3sibaper NanoG6 jar
«1

Comments

  • Aren't the monthly vestacp issues getting tiresome for people?

    Thanked by 1Aidan
  • HarambeHarambe Member, Host Rep

    @OmgpleaseRead said:
    Aren't the monthly vestacp issues getting tiresome for people?

    Yup!

  • EasedEased Member, Host Rep
    edited October 2018

    There are people in this community who vigilantly defend VestaCP...

    I enjoy the lulz.

  • deankdeank Member, Troll
    edited October 2018

    The sad thing about this whole fiasco is that nobody seems to have a clue.

    It's like watching a headless chicken running into a mouth of a lion.

    Thanked by 1FHR
  • @Eased said:
    There are people in this community who vigilantly defend VestaCP...

    I enjoy the lulz.

    s/VestaCP/WordPress/

  • blunder from vestacp developer. Why the hell they need your password?

    What did they check when you put your IP on that website? They didnt tell what to do on affected server.

    stay.far.away

  • 101 reasons to not use VestaCraP

  • Patch is coming out soon. Changes uploaded to github: https://github.com/serghey-rodin/vesta/commits/master

  • jsgjsg Member, Resident Benchmarker

    There are certain kinds of mistakes a knowledgeable developer (or team) knowing and caring about safety just doesn't make. I'm not talking about high level verification stuff, not even about not using PHP but about basic sound and solid design and craftsmanship.

    If someone has had the kind of problems VestaCP had I'm not interested in patches anymore because you'll end up staying in an ugly and painful wheel.

    Patches can solve fix Oops and glitches. What patches just can't fix is general incompetence, carelessness, and cluelessness.

    ByeByeVestaCP

    Thanked by 2vimalware FHR
  • "Professionally coded"

  • Hold your horses. This is a free product (for majority of users) and open source. Fork it, do it better, help development (if you have enough skill) instead of spilling your rotten anger.

    VestaCP is good for what it is. Firewall the shit out of your server, turn off VestaCP when you do not manage anything with it. That's it. My VestaCP spinning 3 years already. No problems.

    Damn, I miss @Nekki and his attitude towards nagging scums.

  • @LTniger said:
    VestaCP is good for what it is. Firewall the shit out of your server, turn off VestaCP when you do not manage anything with it.

    That's like saying herpes is good for what it is as long as you don't use Tinder.

  • @LTniger said:
    VestaCP is good for what it is. Firewall the shit out of your server, turn off VestaCP when you do not manage anything with it. That's it. My VestaCP spinning 3 years already. No problems.

    So their code being manipulated for months and them not acknowledging the hack makes it good? All passwords were submitted to their servers in plain text.

  • vimalwarevimalware Member
    edited October 2018

    When you need a firewall control panel for your Web hosting control panel....

    Edit: I nominate VestaVestCP

  • jsgjsg Member, Resident Benchmarker
    edited October 2018

    @LTniger said:
    Hold your horses. This is a free product (for majority of users) and open source. Fork it, do it better, help development (if you have enough skill) instead of spilling your rotten anger.

    VestaCP is good for what it is. Firewall the shit out of your server, turn off VestaCP when you do not manage anything with it. That's it. My VestaCP spinning 3 years already. No problems.

    For a start I wasn't angry. I merely said what I rationally thought and know.

    As for "open source": NO, "it's free" or "it's open source" is NOT an excuse. Also it doesn't make the problems somehow magically disappear.

    The question isn't opensource/free/commercial. The question is whether a reasonable minimum level of professionality and quality are met.

    Just imagine all the servers that are holding more or less personal or even sensitive data. You want to tell the doxed or harmed users "It's open source/free!"?

    Thanked by 1desperand
  • jsg said: The question is whether a reasonable minimum level of professionality and quality are met.

    It's about money and team. Mostly about money.
    Their business model - garbage for them.

    Their product - piece of shit too. Not because of lack of professionalism, but because of the amount of work what they physically can't maintain.

    What do I mean?

    • Zoo of distros supported
    • Zoo of software included
    • Few devs (JUST a few) for super mega big project
    • They must support super big community
    • They must support thousands of conflicts and dependencies in software in each distro
    • They physically will not have a time for doing ANY of named above things well.

    They must (just my point of view)

    • Drop support of all distros
    • Just focus on code what they do
    • Write technical good documentation with dozens of examples
    • Use docker / kubernetes for their work which will be unbounded from different software, and will work in a container on almost all distros
    • They must remove hell a lot of code, different trash modules from their software (I'm too lazy to print at least a few of them, but believe me, I was checked their repo).
    • If they will do just CP in a container where each component strictly isolated from each other, which does not depend on each other part, and complexity of the final product will be decreased - they will dominate the market.
  • LeviLevi Member
    edited October 2018

    @jsg said:

    How that part about helping to improve opensource software?

  • jsgjsg Member, Resident Benchmarker

    @LTniger said:

    @jsg said:

    How that part about helping to improve opensource software?

    As you insist to ask: I don't think that any respectable and reasonably professional developer would touch that kind of sh*t. They'd rather do a fresh start.

  • @jsg said:

    @LTniger said:

    @jsg said:

    How that part about helping to improve opensource software?

    As you insist to ask: I don't think that any respectable and reasonably professional developer would touch that kind of sh*t. They'd rather do a fresh start.

    A fresh start will just hurt more innocent people. They should simply close their door and move on .

  • Its a good concept with really bad code, right now it's just PESTacp.....

  • Open source web hosting software compromised with DDoS malware

    https://www.zdnet.com/article/open-source-web-hosting-software-compromised-with-ddos-malware/

    Thanked by 1Falzo
  • @connercg said:
    Open source web hosting software compromised with DDoS malware

    https://www.zdnet.com/article/open-source-web-hosting-software-compromised-with-ddos-malware/

    while the video seems totally unrelated, I'd say that article sums it up pretty good - BUT the timeframe given does not match my findings, though it might be OS related. I have servers installed with debian and found the infected installer on one set up on august 13th, but not on another set up july 22nd.

    as the timestamp of the installer script is something mid of may I'd rather guess, the other post on their forums is messing up dates or has been misunderstood.

  • The main problem, for me, about VestaCP at the moment is really communication and clarification about this and other incidents.

    I really love the simplicity about the control panel, is not a CP for massive use (ex reseller and shared hosting) but it's perfect to save some time (and money) when admin a little VPS or a single domain VPS.

    I like the fact that, for example, i can turn off and on the CP itself, and it doesn't compromise the rest of the services, it's independent and i love about that.
    The other thing is the options for minimal ou max install, for example, i never install mail, dns, etc... it's just nginx-fpm, maria/mysql and firewall.
    Sincerely what other panels (even paid) can give you this kind of freedom and low resource usage?

    VestaCP is a great CP made by great people, sometimes people make mistakes, and sometimes people learn from them (not necessarily tech or code mistakes, but human, communication and project management), let's hope that this is the case.

  • @claudiof said:
    The main problem, for me, about VestaCP at the moment is really communication and clarification about this and other incidents.

    I really love the simplicity about the control panel, is not a CP for massive use (ex reseller and shared hosting) but it's perfect to save some time (and money) when admin a little VPS or a single domain VPS.

    I like the fact that, for example, i can turn off and on the CP itself, and it doesn't compromise the rest of the services, it's independent and i love about that.
    The other thing is the options for minimal ou max install, for example, i never install mail, dns, etc... it's just nginx-fpm, maria/mysql and firewall.
    Sincerely what other panels (even paid) can give you this kind of freedom and low resource usage?

    VestaCP is a great CP made by great people, sometimes people make mistakes, and sometimes people learn from them (not necessarily tech or code mistakes, but human, communication and project management), let's hope that this is the case.

    fully agree on that.

    and just for reference leaving this here - https://web.archive.org/web/20181019113122/https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=200

    got the feeling, I am not so welcome anymore over there :/

  • Meh, I was looking at it... and someone could easily brute force the /test/ address and find all ips that were exploited.

  • @AlyssaD said:
    Meh, I was looking at it... and someone could easily brute force the /test/ address and find all ips that were exploited.

    What else is new

  • VestaCP is gaining popularity.

  • ClouviderClouvider Member, Patron Provider
  • jsgjsg Member, Resident Benchmarker
    edited October 2018

    Read it, thanks.

    skid (VestaCP Team) said:
    we were not sure we understand the whole picture.
    ...
    The issue number one
    Our infrastructure server was hacked. Presumably using API bug

    No VestaCP, you fail to understand even that.

    The "issue number one" is that you, VestaCP, are a bunch of clueless and shockingly unprofessional junk typists and make shifters who in all seriousness dare to offer something which you -obviously and proven- fail to properly understand and which you then implemented extremely poorly.

Sign In or Register to comment.