HostVein
Take Heed! (( VestaCP )) - Printable Version

+- HostVein (https://www.hostvein.com)
+-- Forum: General (https://www.hostvein.com/forumdisplay.php?fid=1)
+--- Forum: In The News (https://www.hostvein.com/forumdisplay.php?fid=13)
+--- Thread: Take Heed! (( VestaCP )) (/showthread.php?tid=154)



Take Heed! (( VestaCP )) - Mun - 10-17-2018

Quote from Devs on forum:  https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=180#p73907

[Image: chrome_2018-10-17_14-35-49.png]


@Falzo made the initial discovery it seems. You can see it here: https://forum.vestacp.com/viewtopic.php?f=10&t=17641&start=160#p73881


[Image: chrome_2018-10-17_14-36-42.png]



Long story short, VestaCPs repository got hacked and was used as a relay for passwords being sent by an altered script during the install. Make sure to double check that you aren't on the list.

Also double check to make sure that `/usr/bin/dhcprenew` doesn't exist on your server. If it does double check with `strings /usr/bin/dhcprenew`

http://vestacp.com/test/?ip=127.0.0.1


RE: Take Heed! (( VestaCP )) - Mun - 10-17-2018

Patches have been released. 
https://github.com/serghey-rodin/vesta/commits/master

Vesta was using the admin password for the default password for MySQL and Postgres. This allowed an attack surface as both services were open to the internet as the default firewall ruleset allows them through.
https://github.com/serghey-rodin/vesta/commit/1557f9bc8cbdb349a83bce96093b1717b36cf5cd

Another prevention method was added over hash comparison. 
https://github.com/serghey-rodin/vesta/commit/5f68c1b634abec2d5a4f83156bfd223d3a792f77

Another change is a prevention method of `sudo` abuse under the admin account. Now all sudo functions are limited to being run under `/usr/local/vesta/bin/`.
https://github.com/serghey-rodin/vesta/commit/d880b5b4254ed3d89303227d7de4a79e8e0579a7