New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
This is smart. However there are people using this panel for customers. Which I believe would be a big issue.
Because why not lol. Not exactly security there but perhaps briefly annoys the attacker if they get in and have to troubleshoot actual OS issues
In that case, from your webserver forward https://serverXX.yourdomain.com/panel/ to http://localhost:8083/
Nothing in that thread suggest VestaCP has an exploit. The attacker is coming in through SSH from what was seen in a log file that was posted.
just turning ssh off will have the same secure effect no?
Securing it shouldn't be that hard -- with a cheap yearly box, he can set up OVPN/SSH tunneling and block all sites except his Vesta install while whitelisting the VPN IP.
So apparently VestaCP have been leaking credentials for the admin (sudo user) account to their server for the longest time and this is why servers got hacked. I guess this is why their team have been silent this long as they knew about this.
More details can be found on the VestaCP forum in the post by @Falzo
https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=160#p73881
sorry for not responding here earlier, I've been really busy the last few days.
I can't tell if that was done intentionally, because on older install scripts this part wasn't there and it isn't in the actual version now.
maybe another compromise on the vesta servers and a malicious code insertition like with the roundcube hack before. dunno.
yet I agree it's worrying that no one is admitting or responding to it properly, especially now that the code is gone again.
I can even narrow down on the possible timeframe. I have a server installed on july 22nd, were that additional code is not there, then one from 13th august were it is to be found. if you check today it is clean again.
Considering that the code is up that it posts requests to, I doubt that they got compromised and that this is intentional. Their servers may have gotten breached exposing the data that got collected, but it kind of makes me discourage people to use this software as it stands right now due to how they handle this all.