New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Just use Virtualmin
Strike 2!
Its likely that your servers auto updated before people got to them, I assume it wasn't exploited pre-fix but my honeypot saw some attempts once the patch went live.
Iirc ispconfig has backup-restore feature
Lucky I stop using vesta since the last exploit on april. And now, using ispconfig. So far, so good.
http://webuzo.com - their backup/restore feature works flawlessly!
They have the free version as well as paid. Although there isn't any backup/restore feature for the FREE version (http://webuzo.com/compare) but they have it for the paid version.
VPS monthly license is $2.5/mo http://webuzo.com/pricing
Pretty common for hosting-related software unfortunately, paid and free. Absolutely no regression testing, nor even automated tests of security-critical code, and typically code that's structured such that these kind of mistakes are stupidly easy to make.
This kind of issue could have been wholly prevented with proper development practices.
EDIT: To be clear, that does not mean that all issues could have been prevented. I'm just talking about this specific one.
https://cyberpanel.net/ FTW! And here is the LET thread.
Will check what have been suggested, thanks guys. Hopefully I can install what's necessary only. Another things I like about vestacp is I can select what service to install (without mail and dns, for example)
welp
Geez, I'm half tempted to do a bit of a penetration test on this app, almost sounds as bad as zPanel ;-)
It does, doesn't it? At least the maintainers don't seem to be arrogant twats, though, unlike with zPanel...
Why is everyone still hostage to this buggy panel?
Take your data and run to Virtualmin LEMP minimal (pass "--minimal --bundle LEMP" to virtualmin installer script.)
ref: https://www.virtualmin.com/documentation/installation/automated#toc-lamp-vs-lemp-7YxCS8LI
It is opensource. Maybe you contribute and get these issues fixed...
to my knowledge zPanel was renamed Sentora Panel which has not been updated since 2015
I was/am interested in doing some contribution to vestacp. It is a promising panel. But there are few things I never liked about it.
However, I've made commits to CyberPanel and it's even more promising But more features may often mean more possible exploits.
"Just contribute a patch" is rarely the answer to issues like this. Like I mentioned above, in a reasonable development process this vulnerability should never have existed; this isn't an isolated incident, it's indicative of a process issue.
The problem with process issues is that you can't make PRs to fix them. Trying to contribute patches to issues will just result in perpetually chasing issues, because new ones are being created faster than you could possibly fix them.
In those situations, it's more useful to focus your attention on a project that doesn't have the process issues, rather than pouring endless amounts of time into an effectively doomed project. Know when to cut your losses and all that.
In a way. Sentora is technically a fork, I believe.
A quick browse at their forum reveals some dude with 110 servers hacked to mine coins.
lenk plox
English only please.
It's just his way of saying the end is nigh.
Yay
link please.
Thanks for the translation. I don't happen to speak tard.
No problem. I am a tard, so I immediately understood. He's just too shy to admit.
Yeah I might have a mild disclosure to make. I feel like I told everyone from the beginning that vestacp wasn't something I was sure would be safe long term, but that I'd continue to offer it if people wanted it. Choose your own adventure kind of game.
Luckily I take a few measures to monitor server activity externally, since you can never 100% trust local logs haven't been tampered with to hide malicious activity. Looks like I came out with no harm done but that could've been bad. Still a full disclosure after dotting the I's and crossing the T's is the right thing to do, even if no customer data had been accessed. I need to keep digging on that before I can make a fully informed disclosure.
Learn from me on this: I let people choose vestacp if they didn't mind the risk, if they trusted the panel. I only marketed it to people who knew damn well what it was. I posted walls of text above the order links telling people not to order it if they didn't know exactly what it was. Instead I got a bunch of people falling over themselves to order it who would actually complain when I take the panel down due to known vulnerabilities (some even did chargebacks). Sometimes people suck. I'm never doing it again.
Also, take this as confirmation that a server updated after the previous issue had been fixed, and that did not have the default roundcube installation accessible, has been compromised by a seemingly automated process and then made to mine some kind of coin.
https://discord.gg/UyBEFG7
If anyone is interested in an open investigation into the event I described above.
And what that means it the former fix was never actually tested?