Ubuntu 16.04
Latest
I got hacked and the support already asked me from the start if I had VestaCP installed. They put me on recovery mode I did a quick backup. Now I have to redo my server from scratch. Their ticket answer was
A reinstallation will be required to reactivate the server, then we suggest you to install latest vestacp version as the one you installed had a bug that was used to make attacks.
If I am not mistaking there was a version with a big breach some time ago (a couple of months). If even the hosting provider told you it, you should keep vestaCP up to date. (like most of the software)
The problem is that I actually kept the latest version up-to-date 馃挴 %. I always do that!
I keep my systems up-to-date more then I should since newer patchers can have 0Day Exploits. Netherless. I was using the latest 0.9.8-22
Do you have a backup of the VPS? If there really is a breach in vestaCP it can't be found without this kind of information.
Security is a concern.
VestaCP roadmap document mentions that end-of-Sept-2018 there will be Version 0.9.8-23.
Its 02-Oct-2018. There has been no updates.
Any news?
I can' t even register on VestaCp forum site.
VestaCP should tell us of status, progress and milestones either on their website or on Git.
Everything seems to be falling apart. Unfortunately.
@ioannidesalex these type of months are always slow. Most of the people are on vacation and etc. I'm sure that the project isn't abandoned.
@MrGKanev Come on, it's October already :)
At least a message saying "We are on it - check back in October".
@ioannidesalex everyone here got lives, serghey, dpeca, the rest of the admins, and also i that, when i can, make commits to the main vesta repo.
everyone is trying to make this project come foward, for example, i've corrected some things, others, need an review, and finally, others i cannot do.
by issuing an pr, or an issue, you are helping, IF
etc...~
you guys have to be patient, about the development. we are not paid, we, developers, make this on our free time.
if there is, please add an issue and in the title say something like this [URGENT][BUG] - 芦small desc of the bug禄 because guessing games are hard.
if you want to help to make this even greater, try to learn bash, php, and the other languages that this panel use, try to fix an issue, and when you can, send an PR referring one of the admins, cause it is hard to develop something like this.
If you cannot program or think that is boring, at least submit bugs to the issues with the necessary details for us, DEVELOPERS, can start correcting the problem.
That's why, wherever i can, i help the admins to develop some features, or to correct bugs.
this is an great panel, but it cannot be developed by it's own.
Many control panels have suffered from attacks. I myself remember couple cases when entire servers were breached due to flaw in cPanel as well as Plesk, so Vesta is no exception. Those type of issues get patched quickly, but you have to be fast enough to update your servers.
The most you can do is limit access to panel (deny all, allow listed). If can't use that approach, at least have fail2ban and check for updates frequently.
As per an analysis by a forum member on the official forums, the issue with hacked servers has to do with a "backdoored" installer that was served before that did upload the admin credentials to Vestas server in base64.
Look at these commits and judge by yourself:
Introduced here:
https://github.com/serghey-rodin/vesta/commit/a3f0fa1501d424477786e3e7150bb05c0b99518f
Omitted here:
https://github.com/serghey-rodin/vesta/commit/ee03eff016e03cb76fac7ae3a0f9d1ef0f8ee35b
This issue may also be persistent in other installer-files for other operatingsystems and this explains why servers got hacked with no evidence of actual applications being exploited.
Vesta team, we as a community would like an answer regarding your fuck-up and how the passwords were breached.
I understand people have lives, but this team is responsible for the security of the package. To say, be patient, while servers are comprised, is reckless at minimium, and the fact Vesta team added the commit to send our passwords to vestacp.com is, IMHO, criminal.
This needs to be addressed NOW.
Apparently this is very serious. Team says their infrastructure servers were hacked.
There is reply from the team in forum: https://forum.vestacp.com/viewtopic.php?f=10&t=17641&hilit=passwords+sent+to+vestacp&start=180#p73907
My god this is serious. I'm changing admin password on my handful servers right now. I hope the best for vesta team.
IMHO, open source projects benefit the best from community interaction on platform like github. May this incident pushs vesta team toward retiring vestacp.com server during installation process. Aparently github less likely to get compromised and the community can help spot issues earlier.
Update is live, more details available in forum: https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=180#p73920
Apparently there was a flaw in password reset mechanism. According to post, calling back to vestacp.com after installation was also removed.
I have been hacked recently again. Seems like he gained access to user "admin" , changed the password, deleted my backups and then asked money for my backups. And I had 0.9.8-23!
Thanks @serghey-rodin for the updates yet, your software is getting us total victims to Morocans and Russian hackers 馃憥 .
I think VestaCP is far from being safe on any system anymore. It is a total loss of time and resources.
Most helpful comment
first things first.
@ioannidesalex everyone here got lives, serghey, dpeca, the rest of the admins, and also i that, when i can, make commits to the main vesta repo.
everyone is trying to make this project come foward, for example, i've corrected some things, others, need an review, and finally, others i cannot do.
make a issue if you have information that is relevant.
by issuing an pr, or an issue, you are helping, IF
or you know who has it.
you have the details that cause the problem or you know who has it.
etc...~
be patient
you guys have to be patient, about the development. we are not paid, we, developers, make this on our free time.
is there really a bug on this version?
if there is, please add an issue and in the title say something like this [URGENT][BUG] - 芦small desc of the bug禄 because guessing games are hard.
So
if you want to help to make this even greater, try to learn bash, php, and the other languages that this panel use, try to fix an issue, and when you can, send an PR referring one of the admins, cause it is hard to develop something like this.
If you cannot program or think that is boring, at least submit bugs to the issues with the necessary details for us, DEVELOPERS, can start correcting the problem.
Finally
That's why, wherever i can, i help the admins to develop some features, or to correct bugs.
this is an great panel, but it cannot be developed by it's own.