Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VestaCP again hacked. UPDATE IMMEDIATELY! - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VestaCP again hacked. UPDATE IMMEDIATELY!

245

Comments

  • sinsin Member

    @NanoG6 said:
    Any free alternative that has easy backup-restore like vestacp? I often moving accounts between servers (thanks to LET deals)

    Just use Virtualmin

  • Strike 2!

    Thanked by 1pike
  • entrailzentrailz Member, Host Rep

    @AlyssaD said:
    Can we have the title changed. There is no evidence as of current that any servers have been hacked with this new exploit? It is hasn't been seen in the wild. All my servers seemed fine and without anything to worry.

    Its likely that your servers auto updated before people got to them, I assume it wasn't exploited pre-fix but my honeypot saw some attempts once the patch went live.

  • YmpkerYmpker Member
    edited June 2018

    @NanoG6 said:
    Any free alternative that has easy backup-restore like vestacp? I often moving accounts between servers (thanks to LET deals)

    Iirc ispconfig has backup-restore feature :)

  • Lucky I stop using vesta since the last exploit on april. And now, using ispconfig. So far, so good. :D

  • BlaZeBlaZe Member, Host Rep

    @NanoG6 said:
    Any free alternative that has easy backup-restore like vestacp? I often moving accounts between servers (thanks to LET deals)

    http://webuzo.com - their backup/restore feature works flawlessly!

    They have the free version as well as paid. Although there isn't any backup/restore feature for the FREE version (http://webuzo.com/compare) but they have it for the paid version.

    VPS monthly license is $2.5/mo http://webuzo.com/pricing

  • joepie91joepie91 Member, Patron Provider
    edited June 2018

    @entrailz said:
    Oh boy, an easy mistake to make for sure, but should have been caught a lot earlier. Having an issue this big (70000+ servers found on censys), could have lead to some serious issues. I wonder if it was being exploited in the wild or no one really picked up on it prior to the patch.

    Pretty common for hosting-related software unfortunately, paid and free. Absolutely no regression testing, nor even automated tests of security-critical code, and typically code that's structured such that these kind of mistakes are stupidly easy to make.

    This kind of issue could have been wholly prevented with proper development practices.

    EDIT: To be clear, that does not mean that all issues could have been prevented. I'm just talking about this specific one.

    Thanked by 1mohamed
  • https://cyberpanel.net/ FTW! And here is the LET thread.

  • NanoG6NanoG6 Member

    Will check what have been suggested, thanks guys. Hopefully I can install what's necessary only. Another things I like about vestacp is I can select what service to install (without mail and dns, for example)

  • cassacassa Member
    edited June 2018

    @Neoon said:
    https://forum.vestacp.com/viewtopic.php?f=25&p=71465#p71465

    "Security fix for API hash check"

    Sounds bad.

    welp

  • Geez, I'm half tempted to do a bit of a penetration test on this app, almost sounds as bad as zPanel ;-)

  • joepie91joepie91 Member, Patron Provider

    @eastonch said:
    Geez, I'm half tempted to do a bit of a penetration test on this app, almost sounds as bad as zPanel ;-)

    It does, doesn't it? At least the maintainers don't seem to be arrogant twats, though, unlike with zPanel...

    Thanked by 1vimalware
  • vimalwarevimalware Member
    edited June 2018

    Why is everyone still hostage to this buggy panel?

    Take your data and run to Virtualmin LEMP minimal (pass "--minimal --bundle LEMP" to virtualmin installer script.)

    ref: https://www.virtualmin.com/documentation/installation/automated#toc-lamp-vs-lemp-7YxCS8LI

  • @vimalware said:
    Why is everyone still hostage to this buggy panel?

    Take your data and run to Virtualmin LEMP minimal (pass "--minimal --bundle LEMP" to virtualmin installer script.)

    ref: https://www.virtualmin.com/documentation/installation/automated#toc-lamp-vs-lemp-7YxCS8LI

    It is opensource. Maybe you contribute and get these issues fixed... :)

  • @joepie91 said:

    @eastonch said:
    Geez, I'm half tempted to do a bit of a penetration test on this app, almost sounds as bad as zPanel ;-)

    It does, doesn't it? At least the maintainers don't seem to be arrogant twats, though, unlike with zPanel...

    to my knowledge zPanel was renamed Sentora Panel which has not been updated since 2015

  • I was/am interested in doing some contribution to vestacp. It is a promising panel. But there are few things I never liked about it.

    However, I've made commits to CyberPanel and it's even more promising :) But more features may often mean more possible exploits.

  • joepie91joepie91 Member, Patron Provider

    @codetech12 said:

    @vimalware said:
    Why is everyone still hostage to this buggy panel?

    Take your data and run to Virtualmin LEMP minimal (pass "--minimal --bundle LEMP" to virtualmin installer script.)

    ref: https://www.virtualmin.com/documentation/installation/automated#toc-lamp-vs-lemp-7YxCS8LI

    It is opensource. Maybe you contribute and get these issues fixed... :)

    "Just contribute a patch" is rarely the answer to issues like this. Like I mentioned above, in a reasonable development process this vulnerability should never have existed; this isn't an isolated incident, it's indicative of a process issue.

    The problem with process issues is that you can't make PRs to fix them. Trying to contribute patches to issues will just result in perpetually chasing issues, because new ones are being created faster than you could possibly fix them.

    In those situations, it's more useful to focus your attention on a project that doesn't have the process issues, rather than pouring endless amounts of time into an effectively doomed project. Know when to cut your losses and all that.

    @codetech12 said:

    @joepie91 said:

    @eastonch said:
    Geez, I'm half tempted to do a bit of a penetration test on this app, almost sounds as bad as zPanel ;-)

    It does, doesn't it? At least the maintainers don't seem to be arrogant twats, though, unlike with zPanel...

    to my knowledge zPanel was renamed Sentora Panel which has not been updated since 2015

    In a way. Sentora is technically a fork, I believe.

    Thanked by 1vimalware
  • deankdeank Member, Troll

    A quick browse at their forum reveals some dude with 110 servers hacked to mine coins.

  • @deank said:
    A quick browse at their forum reveals some dude with 110 servers hacked to mine coins.

    lenk plox

  • mkshmksh Member

    @codetech12 said:

    @deank said:
    A quick browse at their forum reveals some dude with 110 servers hacked to mine coins.


    lenk plox

    English only please.

  • deankdeank Member, Troll

    It's just his way of saying the end is nigh.

  • jarjar Patron Provider, Top Host, Veteran

    Yay

  • @mksh said:

    @codetech12 said:

    @deank said:
    A quick browse at their forum reveals some dude with 110 servers hacked to mine coins.


    lenk plox

    English only please.

    link please.

  • @deank said:
    It's just his way of saying the end is nigh.

  • mkshmksh Member

    @deank said:
    It's just his way of saying the end is nigh.

    Thanks for the translation. I don't happen to speak tard.

  • deankdeank Member, Troll

    @mksh said:
    Thanks for the translation. I don't happen to speak tard.

    No problem. I am a tard, so I immediately understood. He's just too shy to admit.

    Thanked by 1mksh
  • jarjar Patron Provider, Top Host, Veteran
    edited June 2018

    Yeah I might have a mild disclosure to make. I feel like I told everyone from the beginning that vestacp wasn't something I was sure would be safe long term, but that I'd continue to offer it if people wanted it. Choose your own adventure kind of game.

    Luckily I take a few measures to monitor server activity externally, since you can never 100% trust local logs haven't been tampered with to hide malicious activity. Looks like I came out with no harm done but that could've been bad. Still a full disclosure after dotting the I's and crossing the T's is the right thing to do, even if no customer data had been accessed. I need to keep digging on that before I can make a fully informed disclosure.

    Learn from me on this: I let people choose vestacp if they didn't mind the risk, if they trusted the panel. I only marketed it to people who knew damn well what it was. I posted walls of text above the order links telling people not to order it if they didn't know exactly what it was. Instead I got a bunch of people falling over themselves to order it who would actually complain when I take the panel down due to known vulnerabilities (some even did chargebacks). Sometimes people suck. I'm never doing it again.

    Also, take this as confirmation that a server updated after the previous issue had been fixed, and that did not have the default roundcube installation accessible, has been compromised by a seemingly automated process and then made to mine some kind of coin.

    Thanked by 1Eased
  • jarjar Patron Provider, Top Host, Veteran

    https://discord.gg/UyBEFG7

    If anyone is interested in an open investigation into the event I described above.

  • @cassa said:

    @Neoon said:
    https://forum.vestacp.com/viewtopic.php?f=25&p=71465#p71465

    "Security fix for API hash check"

    Sounds bad.

    welp

    And what that means it the former fix was never actually tested?

Sign In or Register to comment.