Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VestaCP hit with zeroday exploit [May 19 Security Update] - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VestaCP hit with zeroday exploit [May 19 Security Update]

2456711

Comments

  • angstrom said: I find it hard to believe that Vesta has only had one security vulnerability until now

    True :)

  • doughmanesdoughmanes Member
    edited April 2018

    Wait, wasn't the community giving a certain guy a bunch of shit over his claims that VESTACP IS GARBAGE AND BELONGS IN THE TRASH

    TOLD YOU SO - TOLD YOU SO - TOLD YOU SO - TOLD YOU SO - TOLD YOU SO - TOLD YOU SO

    Thanked by 1vimalware
  • @doughmanes said:
    Wait, wasn't the community giving a certain guy a bunch of shit over his claims that VESTACP IS GARBAGE AND BELONGS IN THE TRASH

    I'd tell that guy to go and built something better and show.

    Just because there is a security exploit doesn't mean that the product is trash.

  • It seems like a forum member on the VestaCP forums may have discovered what's being used to exploit the servers..
    https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=170#p68739

    Thanked by 1FHR
  • HxxxHxxx Member

    Is trash, you are better off using a better trash like cPanel.

    @PremiumN said:

    @doughmanes said:
    Wait, wasn't the community giving a certain guy a bunch of shit over his claims that VESTACP IS GARBAGE AND BELONGS IN THE TRASH

    I'd tell that guy to go and built something better and show.

    Just because there is a security exploit doesn't mean that the product is trash.

    Thanked by 1doughmanes
  • My nodes are all clean thankfully. Vesta shut down for now

  • FHRFHR Member, Host Rep

    I like Plesk, actually a usable hosting panel. It's expensive though

  • Great, now I'm curious of what's in gcc.sh.

  • @Prime404 said:
    It seems like a forum member on the VestaCP forums may have discovered what's being used to exploit the servers..
    https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=170#p68739

    Confirmed by Vesta as far as I can tell. They say a patch is coming today.

  • jarjar Patron Provider, Top Host, Veteran

    @doughmanes said:
    Wait, wasn't the community giving a certain guy a bunch of shit over his claims that VESTACP IS GARBAGE AND BELONGS IN THE TRASH

    TOLD YOU SO - TOLD YOU SO - TOLD YOU SO - TOLD YOU SO - TOLD YOU SO - TOLD YOU SO

    Yes I gave that crowd a ton of shit. If I threw out everything imperfect I'd be naked in the corner of an empty room talking about how great I am, which those people are one logical step away from.

    Thanked by 1jvnadr
  • I think the Kloxo fans jumped headfirst into the VestaCP ship

    Thanked by 2mehargags vimalware
  • @Saragoldfarb said:

    @Prime404 said:
    It seems like a forum member on the VestaCP forums may have discovered what's being used to exploit the servers..
    https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=170#p68739

    Confirmed by Vesta as far as I can tell. They say a patch is coming today.

    Yeah, by studying the code.. it seems to be what's at fault here. Wouldn't surprise me if we see more of these attacks as some of the code for like the API seems to be very unsafe in certain ways.

  • MikePTMikePT Moderator, Patron Provider, Veteran
    edited April 2018

    I would recommend the providers to issue security advisors as this may have a huge impact. There is many people using VestaCP. This doesn't seem to start only DDoS but SPAM as well, anything actually would be possible since it runs as root so you should definitely notify your clients as this causes major issues to both parties. If someone here would be willing to pass me the details for a compromised VM so I can investigate this further and narrow the root of the issue I would appreciate. From the comments I have been reading this may be a vulnerability in the API. Roundcube should be excluded for now. I do not have any VestaCP servers as I no longer consider those secure enough. Their team had plenty of time to address this potential security issue. Looking at their changelogs I don't think they take it serious. I know its a FOSS project and I am thankfull for contributing to the OpenSource community, although the project itself is no longer secure and their team's attittude towards this matter is ridiculous. May actually cause more harm than good.

    Thanked by 1doughmanes
  • @scorcher9 said:

    angstrom said: why not choose one of the other (good) free panels

    What would be the criteria for choosing one?

    Anyone can do a simple search for vulnerabilities and land on something like this:

    Vesta:
    https://www.cvedetails.com/vulnerability-list/vendor_id-15494/product_id-31935/Vestacp-Vesta-Control-Panel.html
    
    Froxlor:
    https://www.cvedetails.com/vulnerability-list/vendor_id-16113/Froxlor.html
    
    Webmin:
    https://www.cvedetails.com/vulnerability-list/vendor_id-358/Webmin.html
    

    Webmin has the most. So how do you decide then?

    Look for which one has the most shameful exploits and avoid those slackers.

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2018

    the project itself is no longer secure

    Yeah, if it's ever had a code vulnerability you should throw it out and never use it.

    Challenge accepted or is that actually not a good idea? Might that leave you only running things you've coded and even then only until you make a mistake, at which point you curl up in the corner and never touch the internet again because everything is so unsafe? :)

  • doughmanesdoughmanes Member
    edited April 2018

    As somebody who worked through Kloxo/NTP amplification attack related security issues in the past which involved working non-stop for a few days, yes opening up tickets to all your customers about issues like this make you look really good to the customer.

    I'm not saying start blasting your customers with every vulnerability notification on everything but ones that may impact your service/network from customers being vulnerable.

    Encouraging your customers to be on Twitter/FB for alerts like this cut down on email volume

    Thanked by 1MikePT
  • MikePTMikePT Moderator, Patron Provider, Veteran
    edited April 2018

    @jarland said:

    the project itself is no longer secure

    Yeah, if it's ever had a code vulnerability you should throw it out and never use it.

    Challenge accepted or is that actually not a good idea? Might that leave you only running things you've coded and even then only until you make a mistake, at which point you curl up in the corner and never touch the internet again because everything is so unsafe? :)

    I should rephrase it to:

    "I do not think the project was ever secure".

    This brings memories from HyperVM / Kloxo.
    @jarland please understand that what I mean relates to the developers attittude towards this major flaw and the outdated VestaCP code.

  • TomTom Member

    MikePT said: "I do not think the project was ever secure"

    How come?

  • jarjar Patron Provider, Top Host, Veteran
    edited April 2018

    @MikePT said:

    @jarland said:

    the project itself is no longer secure

    Yeah, if it's ever had a code vulnerability you should throw it out and never use it.

    Challenge accepted or is that actually not a good idea? Might that leave you only running things you've coded and even then only until you make a mistake, at which point you curl up in the corner and never touch the internet again because everything is so unsafe? :)

    I should rephrase it to:

    "I do not think the project was ever secure".

    Late 2013. I've had a pretty good run. Legacy customers knowing that I don't have as much confidence in long term security as cPanel, but it's still a pretty damn good run. In that time there has been a total of 2 concerns.

    Prior to that whmcs had repeat concerns within a 1-2 year time frame and we're all still using it.

    Just saying the whole "well this had a vulnerability, let's all move to the next one that hasn't yet" isn't a healthy attitude. I'd rather be with the dev who learned from a mistake than the one who hasn't yet. Wait until centoswebpanel gets popular enough... No one who codes flawlessly includes an "install teamspeak" button.

    Thanked by 2Plioser coreflux
  • MikePTMikePT Moderator, Patron Provider, Veteran

    Furthermore, I read above someone comparing Webmin to VestaCP in terms of security flaws. There is no comparisson. Webmin is surely used by many millions of people so its obvious they are more often a target. This time it happened to be VestaCP. And gosh if that really correlates to API running as root then... Definitely start using something else.

  • MikePTMikePT Moderator, Patron Provider, Veteran
    edited April 2018

    @Tom said:

    MikePT said: "I do not think the project was ever secure"

    How come?

    Each to their own.

    @jarland said:

    @MikePT said:

    @jarland said:

    the project itself is no longer secure

    Yeah, if it's ever had a code vulnerability you should throw it out and never use it.

    Challenge accepted or is that actually not a good idea? Might that leave you only running things you've coded and even then only until you make a mistake, at which point you curl up in the corner and never touch the internet again because everything is so unsafe? :)

    I should rephrase it to:

    "I do not think the project was ever secure".

    Late 2013. I've had a pretty good run. Legacy customers knowing that I don't have as much confidence in long term security as cPanel, but it's still a pretty damn good run. In that time there has been a total of 2 concerns.

    Prior to that whmcs had repeat concerns within a 1-2 year time frame and we're all still using it.

    Just saying the whole "well this had a vulnerability, let's all move to the next one that hasn't yet" isn't a healthy attitude. I'd rather be with the dev who learned from a mistake than the one who hasn't yet.

    Definitely agree with you. What I mean is that VestaCP seems to have stalled and it doesnt look like someone else will review the code and contribute to it. As so the project wont envolve/get better.

    Lets not compare VestaCP to WHMCS or cPanel. They have dedicated teams that would act in mere minutes.

  • Around 7 GBs of data was transmitted from the server, not sure if it was spam or ddos, but I wiped it otherwise I would have shared for inspection @MikePT

  • Just out of curiosity, do folks typically/mainly use VestaCP only on Dedi's or is it also pretty commonly used on a VPS?

    Thanked by 1vimalware
  • MikePTMikePT Moderator, Patron Provider, Veteran

    @scorcher9 said:
    Around 7 GBs of data was transmitted from the server, not sure if it was spam or ddos, but I wiped it otherwise I would have shared for inspection @MikePT

    Interesting. Too large for SMTP activity in such short time. Did you check your IP in RBLs?

    @nullnothere said:
    Just out of curiosity, do folks typically/mainly use VestaCP only on Dedi's or is it also pretty commonly used on a VPS?

    Seems to be used mostly on VPS.

    Thanked by 1nullnothere
  • MikePT said: Did you check your IP in RBLs?

    Yes I did, it's clean.

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @scorcher9 said:

    MikePT said: Did you check your IP in RBLs?

    Yes I did, it's clean.

    Thanks. Even though its not really instant, it may have been DDoSing. But 7GB is damn low. Anyway, best thing for now is to disable vestacp as per @Haramble post and wait for news from their devs.

    Thanked by 1scorcher9
  • @MikePT said:
    This time it happened to be VestaCP. And gosh if that really correlates to API running as root then... Definitely start using something else.

    As far as I know that's the cause here, as there is no other logical explanation to how a process would get elevated rights otherwise. As far as I know, basically the entire API and all commands in the background run on the user "admin", that have sudo rights and thus root permissions on the system.

  • jarjar Patron Provider, Top Host, Veteran

    MikePT said: What I mean is that VestaCP seems to have stalled and it doesnt look like someone else will review the code and contribute to it

    Gonna have to disagree:

    https://github.com/serghey-rodin/vesta/commits/master

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @Prime404 said:

    @MikePT said:
    This time it happened to be VestaCP. And gosh if that really correlates to API running as root then... Definitely start using something else.

    As far as I know that's the cause here, as there is no other logical explanation to how a process would get elevated rights otherwise. As far as I know, basically the entire API and all commands in the background run on the user "admin", that have sudo rights and thus root permissions on the system.

    Yep. Hence why I mentioned that I don't think it was even secure to start with. That makes no sense. Also seems that it wont sanitize properly from some posts I read in their forums.

    The main developer said they found an issue and will be issuing an update today. I would recommend and give it some time. An issue isnt exactly THE ISSUE.

    API should be disabled until its rewritten as well IMHO.

  • MikePTMikePT Moderator, Patron Provider, Veteran

    @jarland said:

    MikePT said: What I mean is that VestaCP seems to have stalled and it doesnt look like someone else will review the code and contribute to it

    Gonna have to disagree:

    https://github.com/serghey-rodin/vesta/commits/master

    A "FIX" is relative. Issue here is reviewing the code properly and secure it. API is the biggest concern I have seen in VestaCP. I think you agree with that, no? API = full access to your server, and no proper sanitize/validation there.

Sign In or Register to comment.