New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
True
Wait, wasn't the community giving a certain guy a bunch of shit over his claims that VESTACP IS GARBAGE AND BELONGS IN THE TRASH
TOLD YOU SO - TOLD YOU SO - TOLD YOU SO - TOLD YOU SO - TOLD YOU SO - TOLD YOU SO
I'd tell that guy to go and built something better and show.
Just because there is a security exploit doesn't mean that the product is trash.
It seems like a forum member on the VestaCP forums may have discovered what's being used to exploit the servers..
https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=170#p68739
Is trash, you are better off using a better trash like cPanel.
My nodes are all clean thankfully. Vesta shut down for now
I like Plesk, actually a usable hosting panel. It's expensive though
Great, now I'm curious of what's in gcc.sh.
Confirmed by Vesta as far as I can tell. They say a patch is coming today.
Yes I gave that crowd a ton of shit. If I threw out everything imperfect I'd be naked in the corner of an empty room talking about how great I am, which those people are one logical step away from.
I think the Kloxo fans jumped headfirst into the VestaCP ship
Yeah, by studying the code.. it seems to be what's at fault here. Wouldn't surprise me if we see more of these attacks as some of the code for like the API seems to be very unsafe in certain ways.
I would recommend the providers to issue security advisors as this may have a huge impact. There is many people using VestaCP. This doesn't seem to start only DDoS but SPAM as well, anything actually would be possible since it runs as root so you should definitely notify your clients as this causes major issues to both parties. If someone here would be willing to pass me the details for a compromised VM so I can investigate this further and narrow the root of the issue I would appreciate. From the comments I have been reading this may be a vulnerability in the API. Roundcube should be excluded for now. I do not have any VestaCP servers as I no longer consider those secure enough. Their team had plenty of time to address this potential security issue. Looking at their changelogs I don't think they take it serious. I know its a FOSS project and I am thankfull for contributing to the OpenSource community, although the project itself is no longer secure and their team's attittude towards this matter is ridiculous. May actually cause more harm than good.
Look for which one has the most shameful exploits and avoid those slackers.
Yeah, if it's ever had a code vulnerability you should throw it out and never use it.
Challenge accepted or is that actually not a good idea? Might that leave you only running things you've coded and even then only until you make a mistake, at which point you curl up in the corner and never touch the internet again because everything is so unsafe?
As somebody who worked through Kloxo/NTP amplification attack related security issues in the past which involved working non-stop for a few days, yes opening up tickets to all your customers about issues like this make you look really good to the customer.
I'm not saying start blasting your customers with every vulnerability notification on everything but ones that may impact your service/network from customers being vulnerable.
Encouraging your customers to be on Twitter/FB for alerts like this cut down on email volume
I should rephrase it to:
"I do not think the project was ever secure".
This brings memories from HyperVM / Kloxo.
@jarland please understand that what I mean relates to the developers attittude towards this major flaw and the outdated VestaCP code.
How come?
Late 2013. I've had a pretty good run. Legacy customers knowing that I don't have as much confidence in long term security as cPanel, but it's still a pretty damn good run. In that time there has been a total of 2 concerns.
Prior to that whmcs had repeat concerns within a 1-2 year time frame and we're all still using it.
Just saying the whole "well this had a vulnerability, let's all move to the next one that hasn't yet" isn't a healthy attitude. I'd rather be with the dev who learned from a mistake than the one who hasn't yet. Wait until centoswebpanel gets popular enough... No one who codes flawlessly includes an "install teamspeak" button.
Furthermore, I read above someone comparing Webmin to VestaCP in terms of security flaws. There is no comparisson. Webmin is surely used by many millions of people so its obvious they are more often a target. This time it happened to be VestaCP. And gosh if that really correlates to API running as root then... Definitely start using something else.
Each to their own.
Definitely agree with you. What I mean is that VestaCP seems to have stalled and it doesnt look like someone else will review the code and contribute to it. As so the project wont envolve/get better.
Lets not compare VestaCP to WHMCS or cPanel. They have dedicated teams that would act in mere minutes.
Around 7 GBs of data was transmitted from the server, not sure if it was spam or ddos, but I wiped it otherwise I would have shared for inspection @MikePT
Just out of curiosity, do folks typically/mainly use VestaCP only on Dedi's or is it also pretty commonly used on a VPS?
Interesting. Too large for SMTP activity in such short time. Did you check your IP in RBLs?
Seems to be used mostly on VPS.
Yes I did, it's clean.
Thanks. Even though its not really instant, it may have been DDoSing. But 7GB is damn low. Anyway, best thing for now is to disable vestacp as per @Haramble post and wait for news from their devs.
As far as I know that's the cause here, as there is no other logical explanation to how a process would get elevated rights otherwise. As far as I know, basically the entire API and all commands in the background run on the user "admin", that have sudo rights and thus root permissions on the system.
Gonna have to disagree:
https://github.com/serghey-rodin/vesta/commits/master
Yep. Hence why I mentioned that I don't think it was even secure to start with. That makes no sense. Also seems that it wont sanitize properly from some posts I read in their forums.
The main developer said they found an issue and will be issuing an update today. I would recommend and give it some time. An issue isnt exactly THE ISSUE.
API should be disabled until its rewritten as well IMHO.
A "FIX" is relative. Issue here is reviewing the code properly and secure it. API is the biggest concern I have seen in VestaCP. I think you agree with that, no? API = full access to your server, and no proper sanitize/validation there.