OVH Anti Hack - Can someone explain? (Possible VestaCP Infiltrated)

Hxxx

This is smart. However there are people using this panel for customers. Which I believe would be a big issue.

@elixir said:
Simple solution that's worked for me is

(1) change SSH to a non-standard port

(2) Disable or firewall the GUI.

By default the GUI comes up on https://server:8083/

You can login to https://server:8083/list/firewall/ and SUSPEND the rule for port 8083.

If you need access to GUI this can still be accomplished by SSH forwarding/tunneling port 8083 and you'll be able to access the GUI at:
https://localhost:8083/

jar

ip route add blackhole 144.0.2.180

Because why not lol. Not exactly security there but perhaps briefly annoys the attacker if they get in and have to troubleshoot actual OS issues

elixir

In that case, from your webserver forward https://serverXX.yourdomain.com/panel/ to http://localhost:8083/

@Hxxx said:
This is smart. However there are people using this panel for customers. Which I believe would be a big issue.

@elixir said:
Simple solution that's worked for me is

(1) change SSH to a non-standard port

(2) Disable or firewall the GUI.

By default the GUI comes up on https://server:8083/

You can login to https://server:8083/list/firewall/ and SUSPEND the rule for port 8083.

If you need access to GUI this can still be accomplished by SSH forwarding/tunneling port 8083 and you'll be able to access the GUI at:
https://localhost:8083/

AlyssaD

Nothing in that thread suggest VestaCP has an exploit. The attacker is coming in through SSH from what was seen in a log file that was posted.

ianhobbs

just turning ssh off will have the same secure effect no?

FlamesRunner

Securing it shouldn't be that hard -- with a cheap yearly box, he can set up OVPN/SSH tunneling and block all sites except his Vesta install while whitelisting the VPN IP.

Prime404

So apparently VestaCP have been leaking credentials for the admin (sudo user) account to their server for the longest time and this is why servers got hacked. I guess this is why their team have been silent this long as they knew about this.

More details can be found on the VestaCP forum in the post by @Falzo
https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=160#p73881

Falzo

@Prime404 said:
So apparently VestaCP have been leaking credentials for the admin (sudo user) account to their server for the longest time and this is why servers got hacked. I guess this is why their team have been silent this long as they knew about this.

More details can be found on the VestaCP forum in the post by @Falzo
https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=160#p73881

sorry for not responding here earlier, I've been really busy the last few days.

I can't tell if that was done intentionally, because on older install scripts this part wasn't there and it isn't in the actual version now.

maybe another compromise on the vesta servers and a malicious code insertition like with the roundcube hack before. dunno.

yet I agree it's worrying that no one is admitting or responding to it properly, especially now that the code is gone again.

I can even narrow down on the possible timeframe. I have a server installed on july 22nd, were that additional code is not there, then one from 13th august were it is to be found. if you check today it is clean again.

Prime404

@Falzo said:

sorry for not responding here earlier, I've been really busy the last few days.

I can't tell if that was done intentionally, because on older install scripts this part wasn't there and it isn't in the actual version now.

Considering that the code is up that it posts requests to, I doubt that they got compromised and that this is intentional. Their servers may have gotten breached exposing the data that got collected, but it kind of makes me discourage people to use this software as it stands right now due to how they handle this all.