New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
VestaCP again hacked. UPDATE IMMEDIATELY!
codetech12
Member
in General
As many of you must be running Vesta control panel, I just wanted to warn you all that servers running it are getting hijacked. We have already updated our servers and checked also if they have been hijacked.
Last time, Vesta servers were participating a botnet and 4 of our servers were responsible for a huge downtime/network disruption at Contabo according to their team xD.
If you are noticing sudden slow response on your server, this could be the source.
This tutorial can be followed to fix it https://admin-ahead.com/forum/server-security-hardening/unix-trojan-ddos_xor-1-chinese-chicken-multiplatform-dos-botnets-trojan/
Thanked by 1intovps
Comments
This is the command to update vesta /usr/local/vesta/bin/v-update-sys-vesta-all
Restart it afterwards - service vesta restart
And you say the end is far....
Yeah, right. Embrace the truth and join the cult.
cPanel must be really happy ;-)
People like me exist who can tackle this and find a solution. Join us
https://forum.vestacp.com/viewtopic.php?f=25&p=71465#p71465
"Security fix for API hash check"
Sounds bad.
Pakistani hackers exist
while trying to add a fix to the authentication stuff that's happening before api access back in april, they missed/forgot an 'else' ... rendering the whole auth check useless if user and hash was omitted in the post request. free api for everyone...
in addition to this there is another security hole in one of the cli scripts which was then used to execute code on the system itself. add that to the ability to access the api and you're good to go.
so far the impact this time seems to be low, afaik only one user reported that he had a miner deployed in tmp and running.
but from what I have seen the last fix only patches that api problem and not the issue in the cli script that has been used.
those patches get deployed on the servers automatically at night, so at least this api problem should be solved for now. other holes - not so much.
They mentioned previously in the April update that they knew about the bug but never even bothered to fix it. And for the updates part, they hardly used to roll update 1-2 times in a year. They used to promise an update and used to release it months later than the date promised.
This is one reason why we shifted to cPanel.
And definitely the impact seems to be low this time.
cPanel over VestaCP anyday. At least when cPanel gets hacked by a zero day there is an excuse, is paid software.
Also check your VESTA admin passwords and of course the LOG at the GUI, for strange action records.
I missed something...why is Pakistan relevant?
When looking for a free panel imho ISPconfig is the way to go. Appears to be very stable and athough I agree Vesta has been smoother usage wise, a stable panel is also worth a lot. ISPconfig even comes with a free script installer that supports wordpress.
Thankfully I stopped using VestaCP a while ago before those incidents. So Happy lol. I've been using CentMinMod & CyberPanel since then. Highly recommend CMM!
Does it mean that all Vesta hosting is free for now? Just upload your script and enjoy it, no checkouts, MaxMind checks and money changing hands.
For discovering and making hacking tools like this one https://toxicmask.blogspot.com/2016/12/how-to-hack-cpanel-manual-cpanel.html
I remember, some years ago when I was providing free hosting. The same script was uploaded to my server and the only reason I had to stop providing free hosting at that time.
Probably, but all the hijacked servers are participating in a botnet
Also, if you check some Pakistani seo groups on Facebook, you will see every week hacks being posted publicly (not particularly cPanel). They had once even posted about their hacking attempts and even felt proud because of it.
Oh my...
Oh boy, an easy mistake to make for sure, but should have been caught a lot earlier. Having an issue this big (70000+ servers found on censys), could have lead to some serious issues. I wonder if it was being exploited in the wild or no one really picked up on it prior to the patch.
They have a paid bounty system at this point so you don't see 0 days in the wild these days, there's good money in disclosing (usually).
Francisco
I have been trying to buy a VPS from your site from a very long time. It always says out of stock. When will it b in stock?
One word: Bribe.
lol
Well, I guess VestaCP will slowly die at this rate
Problem is, VestaCP's team is sleeping all the time and even if they know about any issue, they will still keep sleeping until there is an emergency.
inb4 VestaCP leave these issues to abuse them themselves until someone reports it Conspiracy hat
I would not say themselves, but they may be getting paid to do it for someone. It's free software, and after several years, they probably found a good way to monetize their previous efforts.
Any free alternative that has easy backup-restore like vestacp? I often moving accounts between servers (thanks to LET deals)
Can we have the title changed. There is no evidence as of current that any servers have been hacked with this new exploit? It is hasn't been seen in the wild. All my servers seemed fine and without anything to worry.
question or statement ? web host on WHT has reported customers affected by this https://www.webhostingtalk.com/showthread.php?t=1717479&p=10047096#post10047096