-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
I got hacked and the they told me it was VestaCP #1715
Comments
If I am not mistaking there was a version with a big breach some time ago (a couple of months). If even the hosting provider told you it, you should keep vestaCP up to date. (like most of the software) |
The problem is that I actually kept the latest version up-to-date 💯 %. I always do that! |
Do you have a backup of the VPS? If there really is a breach in vestaCP it can't be found without this kind of information. |
Security is a concern. VestaCP roadmap document mentions that end-of-Sept-2018 there will be Version 0.9.8-23. Any news? VestaCP should tell us of status, progress and milestones either on their website or on Git. |
Everything seems to be falling apart. Unfortunately. |
@ioannidesalex these type of months are always slow. Most of the people are on vacation and etc. I'm sure that the project isn't abandoned. |
@MrGKanev Come on, it's October already :) At least a message saying "We are on it - check back in October". |
first things first.@ioannidesalex everyone here got lives, serghey, dpeca, the rest of the admins, and also i that, when i can, make commits to the main vesta repo. everyone is trying to make this project come foward, for example, i've corrected some things, others, need an review, and finally, others i cannot do. make a issue if you have information that is relevant.by issuing an pr, or an issue, you are helping, IF
etc...~ be patientyou guys have to be patient, about the development. we are not paid, we, developers, make this on our free time. is there really a bug on this version?if there is, please add an issue and in the title say something like this [URGENT][BUG] - «small desc of the bug» because guessing games are hard. Soif you want to help to make this even greater, try to learn bash, php, and the other languages that this panel use, try to fix an issue, and when you can, send an PR referring one of the admins, cause it is hard to develop something like this. FinallyThat's why, wherever i can, i help the admins to develop some features, or to correct bugs. |
Many control panels have suffered from attacks. I myself remember couple cases when entire servers were breached due to flaw in cPanel as well as Plesk, so Vesta is no exception. Those type of issues get patched quickly, but you have to be fast enough to update your servers. The most you can do is limit access to panel (deny all, allow listed). If can't use that approach, at least have fail2ban and check for updates frequently. |
As per an analysis by a forum member on the official forums, the issue with hacked servers has to do with a "backdoored" installer that was served before that did upload the admin credentials to Vestas server in base64. Look at these commits and judge by yourself:
|
I understand people have lives, but this team is responsible for the security of the package. To say, be patient, while servers are comprised, is reckless at minimium, and the fact Vesta team added the commit to send our passwords to vestacp.com is, IMHO, criminal. This needs to be addressed NOW. |
Apparently this is very serious. Team says their infrastructure servers were hacked. There is reply from the team in forum: https://forum.vestacp.com/viewtopic.php?f=10&t=17641&hilit=passwords+sent+to+vestacp&start=180#p73907 |
My god this is serious. I'm changing admin password on my handful servers right now. I hope the best for vesta team. |
Update is live, more details available in forum: https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=180#p73920 Apparently there was a flaw in password reset mechanism. According to post, calling back to vestacp.com after installation was also removed. |
I have been hacked recently again. Seems like he gained access to user "admin" , changed the password, deleted my backups and then asked money for my backups. And I had 0.9.8-23! Thanks @serghey-rodin for the updates yet, your software is getting us total victims to Morocans and Russian hackers 👎 . I think VestaCP is far from being safe on any system anymore. It is a total loss of time and resources. |
Operating System (OS/VERSION):
Ubuntu 16.04
VestaCP Version:
Latest
I got hacked and the support already asked me from the start if I had VestaCP installed. They put me on recovery mode I did a quick backup. Now I have to redo my server from scratch. Their ticket answer was
The text was updated successfully, but these errors were encountered: