Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VestaCP again hacked. UPDATE IMMEDIATELY!
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VestaCP again hacked. UPDATE IMMEDIATELY!

As many of you must be running Vesta control panel, I just wanted to warn you all that servers running it are getting hijacked. We have already updated our servers and checked also if they have been hijacked.
Last time, Vesta servers were participating a botnet and 4 of our servers were responsible for a huge downtime/network disruption at Contabo according to their team xD.
If you are noticing sudden slow response on your server, this could be the source.
This tutorial can be followed to fix it https://admin-ahead.com/forum/server-security-hardening/unix-trojan-ddos_xor-1-chinese-chicken-multiplatform-dos-botnets-trojan/

Thanked by 1intovps
«1345

Comments

  • This is the command to update vesta /usr/local/vesta/bin/v-update-sys-vesta-all
    Restart it afterwards - service vesta restart

  • deankdeank Member, Troll
    edited June 2018

    And you say the end is far....

    Yeah, right. Embrace the truth and join the cult.

  • ClouviderClouvider Member, Patron Provider

    cPanel must be really happy ;-)

    Thanked by 1Hxxx
  • @deank said:
    And you say the end is far....

    Yeah, right. Embrace the truth and join the cult.

    People like me exist who can tackle this and find a solution. Join us :)

  • NeoonNeoon Community Contributor, Veteran

    https://forum.vestacp.com/viewtopic.php?f=25&p=71465#p71465

    "Security fix for API hash check"

    Sounds bad.

  • @Clouvider said:
    cPanel must be really happy ;-)

    Pakistani hackers exist :)

  • FalzoFalzo Member

    @Neoon said:
    https://forum.vestacp.com/viewtopic.php?f=25&p=71465#p71465

    "Security fix for API hash check"

    Sounds bad.

    while trying to add a fix to the authentication stuff that's happening before api access back in april, they missed/forgot an 'else' ... rendering the whole auth check useless if user and hash was omitted in the post request. free api for everyone...

    in addition to this there is another security hole in one of the cli scripts which was then used to execute code on the system itself. add that to the ability to access the api and you're good to go.

    so far the impact this time seems to be low, afaik only one user reported that he had a miner deployed in tmp and running.

    but from what I have seen the last fix only patches that api problem and not the issue in the cli script that has been used.

    those patches get deployed on the servers automatically at night, so at least this api problem should be solved for now. other holes - not so much.

    Thanked by 2netomx Janevski
  • codetech12codetech12 Member
    edited June 2018

    @Falzo said:

    @Neoon said:
    https://forum.vestacp.com/viewtopic.php?f=25&p=71465#p71465

    "Security fix for API hash check"

    Sounds bad.

    while trying to add a fix to the authentication stuff that's happening before api access back in april, they missed/forgot an 'else' ... rendering the whole auth check useless if user and hash was omitted in the post request. free api for everyone...

    in addition to this there is another security hole in one of the cli scripts which was then used to execute code on the system itself. add that to the ability to access the api and you're good to go.

    so far the impact this time seems to be low, afaik only one user reported that he had a miner deployed in tmp and running.

    but from what I have seen the last fix only patches that api problem and not the issue in the cli script that has been used.

    those patches get deployed on the servers automatically at night, so at least this api problem should be solved for now. other holes - not so much.

    They mentioned previously in the April update that they knew about the bug but never even bothered to fix it. And for the updates part, they hardly used to roll update 1-2 times in a year. They used to promise an update and used to release it months later than the date promised.
    This is one reason why we shifted to cPanel.

    And definitely the impact seems to be low this time.

  • HxxxHxxx Member

    cPanel over VestaCP anyday. At least when cPanel gets hacked by a zero day there is an excuse, is paid software.

    Thanked by 1Janevski
  • ElmoElmo Member

    Also check your VESTA admin passwords and of course the LOG at the GUI, for strange action records.

  • raindog308raindog308 Administrator, Veteran

    codetech12 said: Pakistani hackers exist :)

    I missed something...why is Pakistan relevant?

    Thanked by 2dedicados TheKiller
  • YmpkerYmpker Member
    edited June 2018

    When looking for a free panel imho ISPconfig is the way to go. Appears to be very stable and athough I agree Vesta has been smoother usage wise, a stable panel is also worth a lot. ISPconfig even comes with a free script installer that supports wordpress.

    Thanked by 1karjaj
  • ArisCArisC Member

    Thankfully I stopped using VestaCP a while ago before those incidents. So Happy lol. I've been using CentMinMod & CyberPanel since then. Highly recommend CMM!

  • YuraYura Member

    Does it mean that all Vesta hosting is free for now? Just upload your script and enjoy it, no checkouts, MaxMind checks and money changing hands.

    Thanked by 1Janevski
  • @raindog308 said:

    codetech12 said: Pakistani hackers exist :)

    I missed something...why is Pakistan relevant?

    For discovering and making hacking tools like this one https://toxicmask.blogspot.com/2016/12/how-to-hack-cpanel-manual-cpanel.html
    I remember, some years ago when I was providing free hosting. The same script was uploaded to my server and the only reason I had to stop providing free hosting at that time.

  • @Yura said:
    Does it mean that all Vesta hosting is free for now? Just upload your script and enjoy it, no checkouts, MaxMind checks and money changing hands.

    Probably, but all the hijacked servers are participating in a botnet

  • @codetech12 said:

    @raindog308 said:

    codetech12 said: Pakistani hackers exist :)

    I missed something...why is Pakistan relevant?

    For discovering and making hacking tools like this one https://toxicmask.blogspot.com/2016/12/how-to-hack-cpanel-manual-cpanel.html
    I remember, some years ago when I was providing free hosting. The same script was uploaded to my server and the only reason I had to stop providing free hosting at that time.

    Also, if you check some Pakistani seo groups on Facebook, you will see every week hacks being posted publicly (not particularly cPanel). They had once even posted about their hacking attempts and even felt proud because of it.

  • mkshmksh Member

    @codetech12 said:

    @codetech12 said:

    @raindog308 said:

    codetech12 said: Pakistani hackers exist :)

    I missed something...why is Pakistan relevant?

    For discovering and making hacking tools like this one https://toxicmask.blogspot.com/2016/12/how-to-hack-cpanel-manual-cpanel.html
    I remember, some years ago when I was providing free hosting. The same script was uploaded to my server and the only reason I had to stop providing free hosting at that time.

    Also, if you check some Pakistani seo groups on Facebook, you will see every week hacks being posted publicly (not particularly cPanel). They had once even posted about their hacking attempts and even felt proud because of it.

    Oh my...

  • entrailzentrailz Member, Host Rep

    Oh boy, an easy mistake to make for sure, but should have been caught a lot earlier. Having an issue this big (70000+ servers found on censys), could have lead to some serious issues. I wonder if it was being exploited in the wild or no one really picked up on it prior to the patch.

  • FranciscoFrancisco Top Host, Host Rep, Veteran

    @Hxxx said:
    cPanel over VestaCP anyday. At least when cPanel gets hacked by a zero day there is an excuse, is paid software.

    They have a paid bounty system at this point so you don't see 0 days in the wild these days, there's good money in disclosing (usually).

    Francisco

    Thanked by 2vimalware Janevski
  • @Francisco said:

    @Hxxx said:
    cPanel over VestaCP anyday. At least when cPanel gets hacked by a zero day there is an excuse, is paid software.

    They have a paid bounty system at this point so you don't see 0 days in the wild these days, there's good money in disclosing (usually).

    Francisco

    I have been trying to buy a VPS from your site from a very long time. It always says out of stock. When will it b in stock?

  • deankdeank Member, Troll

    One word: Bribe.

  • codetech12codetech12 Member
    edited June 2018

    @deank said:
    One word: Bribe.

    lol

  • vovlervovler Member

    Well, I guess VestaCP will slowly die at this rate

  • @vovler said:
    Well, I guess VestaCP will slowly die at this rate

    Problem is, VestaCP's team is sleeping all the time and even if they know about any issue, they will still keep sleeping until there is an emergency.

  • entrailzentrailz Member, Host Rep

    @codetech12 said:

    @vovler said:
    Well, I guess VestaCP will slowly die at this rate

    Problem is, VestaCP's team is sleeping all the time and even if they know about any issue, they will still keep sleeping until there is an emergency.

    inb4 VestaCP leave these issues to abuse them themselves until someone reports it Conspiracy hat

  • vovlervovler Member

    @entrailz said:

    @codetech12 said:

    @vovler said:
    Well, I guess VestaCP will slowly die at this rate

    Problem is, VestaCP's team is sleeping all the time and even if they know about any issue, they will still keep sleeping until there is an emergency.

    inb4 VestaCP leave these issues to abuse them themselves until someone reports it Conspiracy hat

    I would not say themselves, but they may be getting paid to do it for someone. It's free software, and after several years, they probably found a good way to monetize their previous efforts.

  • NanoG6NanoG6 Member

    Any free alternative that has easy backup-restore like vestacp? I often moving accounts between servers (thanks to LET deals)

  • Can we have the title changed. There is no evidence as of current that any servers have been hacked with this new exploit? It is hasn't been seen in the wild. All my servers seemed fine and without anything to worry.

  • eva2000eva2000 Veteran

    @AlyssaD said:
    Can we have the title changed. There is no evidence as of current that any servers have been hacked with this new exploit?

    question or statement ? web host on WHT has reported customers affected by this https://www.webhostingtalk.com/showthread.php?t=1717479&p=10047096#post10047096

    Not using it myself, but I came across a bunch of customer VMs that were affected by this security issue. I believe they're somewhat speedy to react to security issues, looks like this particular issue was reported just 1 day before the official fix was released: https://forum.vestacp.com/viewtopic.php?f=10&t=17167 . They do indeed support Nginx + PHP-FPM as per the "Web" dropdown at https://vestacp.com/install/ .

Sign In or Register to comment.