[IMPORTANT] VestaCP Mass Hack

kosir

kosir

Member
As of yesterday, I am noticing some strange activities on one of my servers with VestaCP. The server load was so high I had to contact support for help.

As it turned out my server became a part of DDOS network. How you might ask?

Well, read this https://forum.vestacp.com/viewtopic.php?f=10&t=16556 . As it turned out it looks like their repo was hacked and all server installed in last X days/weeks/months (X is unknown) are a part of this network.

IF YOU ARE USING VESTACP MAKE SURE YOU CHECK IF YOUR SERVER WAS ALSO COMPROMISED

More info on how to do so https://admin-ahead.com/forum/serve...ese-chicken-multiplatform-dos-botnets-trojan/
 
What pisses me the most about this is that there is no official response from VestaCP devs. They acknowledged that there was a huge security flaw, but gave no updates about it and how to resolve and clean compromised servers.

This is how brands lose their trust and I am seriously thinking if VestaCP will see another install or recommendation from me.
 
kosir said:
What pisses me the most about this is that there is no official response from VestaCP devs. They acknowledged that there was a huge security flaw, but gave no updates about it and how to resolve and clean compromised servers.

This is how brands lose their trust and I am seriously thinking if VestaCP will see another install or recommendation from me.
Click to expand...
Have they fixed the tech part properly?
 
frm.mwz said:
Have they fixed the tech part properly?
Click to expand...
At first, their answer was, we don't really know what happened but we checked everything and it's ok. Now they changed it to "Just want to confirm that we have checked our infrastructure. It is secured and wasn't affeceted in any way. The was some problems deb repos because we did initial push in a hurry. It is now fixed."

This is their official statement, but you have to dig in the forum to find it. My vesta installs dropped to 1 from a double-digit and will soon be 0.
 
kosir said:
At first, their answer was, we don't really know what happened but we checked everything and it's ok. Now they changed it to "Just want to confirm that we have checked our infrastructure. It is secured and wasn't affeceted in any way. The was some problems deb repos because we did initial push in a hurry. It is now fixed."

This is their official statement, but you have to dig in the forum to find it. My vesta installs dropped to 1 from a double-digit and will soon be 0.
Click to expand...
From the above links and some research it seems it is an old DDoS virus from 2015 (or earlier?)
and if you run ClamV or rkHunter (and who does not), then it should be gone.
VestCP seems a very snappy and scriptable CP, and a (security) problem comes around to most any software from time to time;)
 
I agree with you and I know mistakes do happen, but it's how you handle things when they do and VestaCP team failed to provide any info on why and how this happened. Their front page and social accounts should have a very visible notice but actually, it's 2 builds behind.
 
kosir said:
I agree with you and I know mistakes do happen, but it's how you handle things when they do and VestaCP team failed to provide any info on why and how this happened. Their front page and social accounts should have a very visible notice but actually, it's 2 builds behind.
Click to expand...
Yes, you are right. The team behind VestaCP was probably shocked, ashamed, and did not know how to handle it. They might need encouragement and help, since maybe monetisation is low and hence little time goes into the project (which is why it happened, ie viscous circle).

PS: Really appreciate you pointing this whole thing out and making the thread! :)
 
I know there are a lot of MW users on Vesta (there is also a guide here) and it was a real shock for me when in the middle of a kids party my (luckely) test server started acting up.

It was so overloaded that I was unable to keep my connection alive (on mobile) and was only able to see that load is over 4.

This is when I turned to hosters support and I have to say this again. CONTABO is the best ptovider that I know of. Apart from the down time my server had due to ME turning it off, their support was nothing but helpful.

Just as a side note. This was my second infection (that I know of) ever since I got my first PC (286). First one was Michelangelo :D
 
You must log in or register to reply here.
Back
Top