Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advertise on LowEndTalk.com
VestaCP again hacked. UPDATE IMMEDIATELY!
New on LowEndTalk? Please Register and read our Community Rules.

VestaCP again hacked. UPDATE IMMEDIATELY!

As many of you must be running Vesta control panel, I just wanted to warn you all that servers running it are getting hijacked. We have already updated our servers and checked also if they have been hijacked.
Last time, Vesta servers were participating a botnet and 4 of our servers were responsible for a huge downtime/network disruption at Contabo according to their team xD.
If you are noticing sudden slow response on your server, this could be the source.
This tutorial can be followed to fix it https://admin-ahead.com/forum/server-security-hardening/unix-trojan-ddos_xor-1-chinese-chicken-multiplatform-dos-botnets-trojan/

Thanked by 1intovps

The end is far away... :)

«13

Comments

  • This is the command to update vesta /usr/local/vesta/bin/v-update-sys-vesta-all
    Restart it afterwards - service vesta restart

    The end is far away... :)

  • deankdeank Member, Troll
    edited June 2018

    And you say the end is far....

    Yeah, right. Embrace the truth and join the cult.

    Have you sued your host yet? Do it now.

  • ClouviderClouvider Member, Provider

    cPanel must be really happy ;-)

    Thanked by 1Hxxx

    Clouvider Limited - Leading Hosting & Connectivity Partner || Dedicated Server Sale from £39/m - Our Latest LET Offer

    Cloud Web Hosting | SSD & SAS HA OnApp VPS | US, UK, NL & DE Dedicated Servers | Network Services | Colocation | Managed Services

  • @deank said:
    And you say the end is far....

    Yeah, right. Embrace the truth and join the cult.

    People like me exist who can tackle this and find a solution. Join us :)

    The end is far away... :)

  • @Clouvider said:
    cPanel must be really happy ;-)

    Pakistani hackers exist :)

    The end is far away... :)

  • FalzoFalzo Member

    @Neoon said:
    https://forum.vestacp.com/viewtopic.php?f=25&p=71465#p71465

    "Security fix for API hash check"

    Sounds bad.

    while trying to add a fix to the authentication stuff that's happening before api access back in april, they missed/forgot an 'else' ... rendering the whole auth check useless if user and hash was omitted in the post request. free api for everyone...

    in addition to this there is another security hole in one of the cli scripts which was then used to execute code on the system itself. add that to the ability to access the api and you're good to go.

    so far the impact this time seems to be low, afaik only one user reported that he had a miner deployed in tmp and running.

    but from what I have seen the last fix only patches that api problem and not the issue in the cli script that has been used.

    those patches get deployed on the servers automatically at night, so at least this api problem should be solved for now. other holes - not so much.

    Thanked by 2netomx Janevski

    UltraVPS.eu KVM in US/UK/NL/DE: 15% off first 6 month | Netcup VPS/rootDS - 5€ off: 36nc15279180197 (ref)

  • codetech12codetech12 Member
    edited June 2018

    @Falzo said:

    @Neoon said:
    https://forum.vestacp.com/viewtopic.php?f=25&p=71465#p71465

    "Security fix for API hash check"

    Sounds bad.

    while trying to add a fix to the authentication stuff that's happening before api access back in april, they missed/forgot an 'else' ... rendering the whole auth check useless if user and hash was omitted in the post request. free api for everyone...

    in addition to this there is another security hole in one of the cli scripts which was then used to execute code on the system itself. add that to the ability to access the api and you're good to go.

    so far the impact this time seems to be low, afaik only one user reported that he had a miner deployed in tmp and running.

    but from what I have seen the last fix only patches that api problem and not the issue in the cli script that has been used.

    those patches get deployed on the servers automatically at night, so at least this api problem should be solved for now. other holes - not so much.

    They mentioned previously in the April update that they knew about the bug but never even bothered to fix it. And for the updates part, they hardly used to roll update 1-2 times in a year. They used to promise an update and used to release it months later than the date promised.
    This is one reason why we shifted to cPanel.

    And definitely the impact seems to be low this time.

    The end is far away... :)

  • HxxxHxxx Member

    cPanel over VestaCP anyday. At least when cPanel gets hacked by a zero day there is an excuse, is paid software.

    Thanked by 1Janevski
  • ElmoElmo Member

    Also check your VESTA admin passwords and of course the LOG at the GUI, for strange action records.

  • raindog308raindog308 Administrator, Moderator

    codetech12 said: Pakistani hackers exist :)

    I missed something...why is Pakistan relevant?

    Thanked by 2dedicados TheKiller

    For LET support, please visit the support desk.

  • YmpkerYmpker Member
    edited June 2018

    When looking for a free panel imho ISPconfig is the way to go. Appears to be very stable and athough I agree Vesta has been smoother usage wise, a stable panel is also worth a lot. ISPconfig even comes with a free script installer that supports wordpress.

    Thanked by 1karjaj
  • ArisCArisC Member

    Thankfully I stopped using VestaCP a while ago before those incidents. So Happy lol. I've been using CentMinMod & CyberPanel since then. Highly recommend CMM!

  • YuraYura Member

    Does it mean that all Vesta hosting is free for now? Just upload your script and enjoy it, no checkouts, MaxMind checks and money changing hands.

    Thanked by 1Janevski
  • @raindog308 said:

    codetech12 said: Pakistani hackers exist :)

    I missed something...why is Pakistan relevant?

    For discovering and making hacking tools like this one https://toxicmask.blogspot.com/2016/12/how-to-hack-cpanel-manual-cpanel.html
    I remember, some years ago when I was providing free hosting. The same script was uploaded to my server and the only reason I had to stop providing free hosting at that time.

    The end is far away... :)

  • @Yura said:
    Does it mean that all Vesta hosting is free for now? Just upload your script and enjoy it, no checkouts, MaxMind checks and money changing hands.

    Probably, but all the hijacked servers are participating in a botnet

    The end is far away... :)

  • @codetech12 said:

    @raindog308 said:

    codetech12 said: Pakistani hackers exist :)

    I missed something...why is Pakistan relevant?

    For discovering and making hacking tools like this one https://toxicmask.blogspot.com/2016/12/how-to-hack-cpanel-manual-cpanel.html
    I remember, some years ago when I was providing free hosting. The same script was uploaded to my server and the only reason I had to stop providing free hosting at that time.

    Also, if you check some Pakistani seo groups on Facebook, you will see every week hacks being posted publicly (not particularly cPanel). They had once even posted about their hacking attempts and even felt proud because of it.

    The end is far away... :)

  • mkshmksh Member

    @codetech12 said:

    @codetech12 said:

    @raindog308 said:

    codetech12 said: Pakistani hackers exist :)

    I missed something...why is Pakistan relevant?

    For discovering and making hacking tools like this one https://toxicmask.blogspot.com/2016/12/how-to-hack-cpanel-manual-cpanel.html
    I remember, some years ago when I was providing free hosting. The same script was uploaded to my server and the only reason I had to stop providing free hosting at that time.

    Also, if you check some Pakistani seo groups on Facebook, you will see every week hacks being posted publicly (not particularly cPanel). They had once even posted about their hacking attempts and even felt proud because of it.

    Oh my...

  • entrailzentrailz Member, Provider

    Oh boy, an easy mistake to make for sure, but should have been caught a lot earlier. Having an issue this big (70000+ servers found on censys), could have lead to some serious issues. I wonder if it was being exploited in the wild or no one really picked up on it prior to the patch.

  • FranciscoFrancisco Top Provider

    @Hxxx said:
    cPanel over VestaCP anyday. At least when cPanel gets hacked by a zero day there is an excuse, is paid software.

    They have a paid bounty system at this point so you don't see 0 days in the wild these days, there's good money in disclosing (usually).

    Francisco

    Thanked by 2vimalware Janevski
    BuyVM - Free DirectAdmin, Softaculous, & Blesta! / Anycast Support! / Windows 2008, 2012, & 2016! / Unmetered Bandwidth!
    BuyShared - Shared & Reseller Hosting / cPanel + Softaculous + CloudLinux / Pure SSD! / Free Dedicated IP Address
  • @Francisco said:

    @Hxxx said:
    cPanel over VestaCP anyday. At least when cPanel gets hacked by a zero day there is an excuse, is paid software.

    They have a paid bounty system at this point so you don't see 0 days in the wild these days, there's good money in disclosing (usually).

    Francisco

    I have been trying to buy a VPS from your site from a very long time. It always says out of stock. When will it b in stock?

    The end is far away... :)

  • deankdeank Member, Troll

    One word: Bribe.

    Have you sued your host yet? Do it now.

  • codetech12codetech12 Member
    edited June 2018

    @deank said:
    One word: Bribe.

    lol

    The end is far away... :)

  • vovlervovler Member

    Well, I guess VestaCP will slowly die at this rate

    "They said it's RAID 5" - geekypixal

  • @vovler said:
    Well, I guess VestaCP will slowly die at this rate

    Problem is, VestaCP's team is sleeping all the time and even if they know about any issue, they will still keep sleeping until there is an emergency.

    The end is far away... :)

  • entrailzentrailz Member, Provider

    @codetech12 said:

    @vovler said:
    Well, I guess VestaCP will slowly die at this rate

    Problem is, VestaCP's team is sleeping all the time and even if they know about any issue, they will still keep sleeping until there is an emergency.

    inb4 VestaCP leave these issues to abuse them themselves until someone reports it Conspiracy hat

  • vovlervovler Member

    @entrailz said:

    @codetech12 said:

    @vovler said:
    Well, I guess VestaCP will slowly die at this rate

    Problem is, VestaCP's team is sleeping all the time and even if they know about any issue, they will still keep sleeping until there is an emergency.

    inb4 VestaCP leave these issues to abuse them themselves until someone reports it Conspiracy hat

    I would not say themselves, but they may be getting paid to do it for someone. It's free software, and after several years, they probably found a good way to monetize their previous efforts.

    "They said it's RAID 5" - geekypixal

  • NanoG6NanoG6 Member

    Any free alternative that has easy backup-restore like vestacp? I often moving accounts between servers (thanks to LET deals)

  • Can we have the title changed. There is no evidence as of current that any servers have been hacked with this new exploit? It is hasn't been seen in the wild. All my servers seemed fine and without anything to worry.

  • @AlyssaD said:
    Can we have the title changed. There is no evidence as of current that any servers have been hacked with this new exploit?

    question or statement ? web host on WHT has reported customers affected by this https://www.webhostingtalk.com/showthread.php?t=1717479&p=10047096#post10047096

    Not using it myself, but I came across a bunch of customer VMs that were affected by this security issue. I believe they're somewhat speedy to react to security issues, looks like this particular issue was reported just 1 day before the official fix was released: https://forum.vestacp.com/viewtopic.php?f=10&t=17167 . They do indeed support Nginx + PHP-FPM as per the "Web" dropdown at https://vestacp.com/install/ .

    * Centmin Mod Project (HTTP/2 support + ngx_pagespeed + Nginx Lua + Vhost Stats)
    * Centmin Mod LEMP Stack Quick Install Guide
  • sinsin Member

    @NanoG6 said:
    Any free alternative that has easy backup-restore like vestacp? I often moving accounts between servers (thanks to LET deals)

    Just use Virtualmin

  • Strike 2!

    Thanked by 1pike

    grape

  • entrailzentrailz Member, Provider

    @AlyssaD said:
    Can we have the title changed. There is no evidence as of current that any servers have been hacked with this new exploit? It is hasn't been seen in the wild. All my servers seemed fine and without anything to worry.

    Its likely that your servers auto updated before people got to them, I assume it wasn't exploited pre-fix but my honeypot saw some attempts once the patch went live.

  • YmpkerYmpker Member
    edited June 2018

    @NanoG6 said:
    Any free alternative that has easy backup-restore like vestacp? I often moving accounts between servers (thanks to LET deals)

    Iirc ispconfig has backup-restore feature :)

  • Lucky I stop using vesta since the last exploit on april. And now, using ispconfig. So far, so good. :D

  • BlaZeBlaZe Member, Provider

    @NanoG6 said:
    Any free alternative that has easy backup-restore like vestacp? I often moving accounts between servers (thanks to LET deals)

    http://webuzo.com - their backup/restore feature works flawlessly!

    They have the free version as well as paid. Although there isn't any backup/restore feature for the FREE version (http://webuzo.com/compare) but they have it for the paid version.

    VPS monthly license is $2.5/mo http://webuzo.com/pricing

    Artnet - Poland (Gdańsk) based instant setup express dedicated servers & cloud VPS
    ExoticVM.com - Find VPS in exotic locations! - Discussion Thread

  • joepie91joepie91 Member, Provider
    edited June 2018

    @entrailz said:
    Oh boy, an easy mistake to make for sure, but should have been caught a lot earlier. Having an issue this big (70000+ servers found on censys), could have lead to some serious issues. I wonder if it was being exploited in the wild or no one really picked up on it prior to the patch.

    Pretty common for hosting-related software unfortunately, paid and free. Absolutely no regression testing, nor even automated tests of security-critical code, and typically code that's structured such that these kind of mistakes are stupidly easy to make.

    This kind of issue could have been wholly prevented with proper development practices.

    EDIT: To be clear, that does not mean that all issues could have been prevented. I'm just talking about this specific one.

    Thanked by 1mohamed
  • https://cyberpanel.net/ FTW! And here is the LET thread.

    RC5 cracker since 1998!

  • NanoG6NanoG6 Member

    Will check what have been suggested, thanks guys. Hopefully I can install what's necessary only. Another things I like about vestacp is I can select what service to install (without mail and dns, for example)

  • cassacassa Member, Provider
    edited June 2018

    @Neoon said:
    https://forum.vestacp.com/viewtopic.php?f=25&p=71465#p71465

    "Security fix for API hash check"

    Sounds bad.

    welp

    ik moet poepen

  • Geez, I'm half tempted to do a bit of a penetration test on this app, almost sounds as bad as zPanel ;-)

    Security Consultant

  • joepie91joepie91 Member, Provider

    @eastonch said:
    Geez, I'm half tempted to do a bit of a penetration test on this app, almost sounds as bad as zPanel ;-)

    It does, doesn't it? At least the maintainers don't seem to be arrogant twats, though, unlike with zPanel...

    Thanked by 1vimalware
  • vimalwarevimalware Member
    edited June 2018

    Why is everyone still hostage to this buggy panel?

    Take your data and run to Virtualmin LEMP minimal (pass "--minimal --bundle LEMP" to virtualmin installer script.)

    ref: https://www.virtualmin.com/documentation/installation/automated#toc-lamp-vs-lemp-7YxCS8LI

    1TB Backup-KVM (US) €4.25/mo 2GB Ram!
    (affiliate for 🥰 ) https://clients.inceptionhosting.com/aff.php?aff=401&pid=194

  • @vimalware said:
    Why is everyone still hostage to this buggy panel?

    Take your data and run to Virtualmin LEMP minimal (pass "--minimal --bundle LEMP" to virtualmin installer script.)

    ref: https://www.virtualmin.com/documentation/installation/automated#toc-lamp-vs-lemp-7YxCS8LI

    It is opensource. Maybe you contribute and get these issues fixed... :)

    The end is far away... :)

  • @joepie91 said:

    @eastonch said:
    Geez, I'm half tempted to do a bit of a penetration test on this app, almost sounds as bad as zPanel ;-)

    It does, doesn't it? At least the maintainers don't seem to be arrogant twats, though, unlike with zPanel...

    to my knowledge zPanel was renamed Sentora Panel which has not been updated since 2015

    The end is far away... :)

  • I was/am interested in doing some contribution to vestacp. It is a promising panel. But there are few things I never liked about it.

    However, I've made commits to CyberPanel and it's even more promising :) But more features may often mean more possible exploits.

  • joepie91joepie91 Member, Provider

    @codetech12 said:

    @vimalware said:
    Why is everyone still hostage to this buggy panel?

    Take your data and run to Virtualmin LEMP minimal (pass "--minimal --bundle LEMP" to virtualmin installer script.)

    ref: https://www.virtualmin.com/documentation/installation/automated#toc-lamp-vs-lemp-7YxCS8LI

    It is opensource. Maybe you contribute and get these issues fixed... :)

    "Just contribute a patch" is rarely the answer to issues like this. Like I mentioned above, in a reasonable development process this vulnerability should never have existed; this isn't an isolated incident, it's indicative of a process issue.

    The problem with process issues is that you can't make PRs to fix them. Trying to contribute patches to issues will just result in perpetually chasing issues, because new ones are being created faster than you could possibly fix them.

    In those situations, it's more useful to focus your attention on a project that doesn't have the process issues, rather than pouring endless amounts of time into an effectively doomed project. Know when to cut your losses and all that.

    @codetech12 said:

    @joepie91 said:

    @eastonch said:
    Geez, I'm half tempted to do a bit of a penetration test on this app, almost sounds as bad as zPanel ;-)

    It does, doesn't it? At least the maintainers don't seem to be arrogant twats, though, unlike with zPanel...

    to my knowledge zPanel was renamed Sentora Panel which has not been updated since 2015

    In a way. Sentora is technically a fork, I believe.

    Thanked by 1vimalware
  • deankdeank Member, Troll

    A quick browse at their forum reveals some dude with 110 servers hacked to mine coins.

    Have you sued your host yet? Do it now.

  • @deank said:
    A quick browse at their forum reveals some dude with 110 servers hacked to mine coins.

    lenk plox

    The end is far away... :)

  • mkshmksh Member

    @codetech12 said:

    @deank said:
    A quick browse at their forum reveals some dude with 110 servers hacked to mine coins.


    lenk plox

    English only please.

Sign In or Register to comment.