After updating server via SSH how to change VestaCP port and add firewall rules

I run a web host that uses VestaCP as a backbone API for managing resources only, but everything has been patched and wanted to share a script to update your VestaCP port from 8083 to 5600. But only do this AFTER update and patch. It will create the firewall rule on VestaCP also.

curl http://www.nodehost.ca/scripts/sh/vestacp_changeport.sh > vestacp_changeport.sh && bash vestacp_changeport.sh

Feel free to download and see what the file actually does, and if you want to upload a file and run local here is the script in the file.

echo "NodeHost Custom VESTACP Script"

echo "JOB: Changing VESTACP port"
string="listen          8083;"
stringnew="listen          5600;"
grep "$stringnew" /usr/local/vesta/nginx/conf/nginx.conf || sed -i "s/$string/$stringnew/g" /usr/local/vesta/nginx/conf/nginx.conf
echo "JOB: Complete"

echo "JOB: Changing VESTACP firewall rule for new port"
v-add-firewall-rule ACCEPT 0.0.0.0/0 5600 TCP
echo "JOB: Complete"

echo "JOB: Restarting VESTACP"
service vesta restart
echo "JOB: Complete"

echo "JOB: Port has been changed to 5600 from 8083"

I hope this helps.

I find some of the comments here appalling. I had problems with the network on my servers almost a day and then I found out the result was that a bunch of other people on the network had chosen to install this vestacp thing that was vulnerable and caused their servers to attack the network. Digital ocean shut them down as they should have, only for them to come here and talk trash and act like digital ocean is responsible for their own stupid choices.

thanks digital ocean. don’t listen to the haters.

Hi DO

Please, please… can we have a reply to our ticket, it’s nearly been 24 hours and still not one response!?

Ticket #1443819

Thank you.

Hello good day to all, really it is a very serious problem that is happening right now, many fallen sites, and many people losing traffic.

I had several fallen sites, and solved it in the following way:

1.- Make a backup of the database of each of the websites:

• mysqldump -u userdb -p dbname - p dbname > namefilebackup.sql

2.- Install Vesta on a Centos server (create a new droplet with Centos7)

3.- Change the port of vesta, it could be to 2083.

• cd /usr/local/vesta/nginx/conf/ && nano nginx.conf
• change “listen 8083;” to “listen 2083;”
• service vesta restart

4.- Update the rules of the firewall in vesta via console:

• v-change-firewall-rule Accept 0.0.0.0/0 2083 TCP

5.- copy the files from the previous server to the current server:
rsync -avzhie “ssh -p 22” root@IP.DEL.SERVER.OFTERIOR: /mnt/home/admin/backup.tar.gz/home/admin/backups-new-server/

6.- Restore all files.

If you have any questions with the steps above, let me know, I will be very happy to help you… :) a big hug and successes!

Hola buen día a todos, realmente es un problema muy grave el que está pasando ahora mismo, muchos sitos caidos, y muchas personas perdiendo tráfico.

Yo tuve varios sitios caidos, y lo solucioné de la siguiente manera:

1.- Hacer un backup de la base de datos de cada uno de los sitios web:

• mysqldump -u usuariodb -p nombrebd - p nombre_bd > archivo.sql

2.- Instalar Vesta en un servidor Centos (para ello cree una nueva gotita con Centos7)

3.- Cambiar el puerto de vesta, podría ser al 2083.

• cd /usr/local/vesta/nginx/conf/ && nano nginx.conf
• cambiar “ listen 8083; ” por “ listen 2083; ”
• service vesta restart

4.- Actualizar las reglas del firewall en vesta via consola:

• v-change-firewall-rule Accept 0.0.0.0/0 2083 TCP

5.- copiar los archivos desde el servidor anterior al servidor actual:
rsync -avzhie “ssh -p 22” root@IP.DEL.SERVER.ANTERIOR:/mnt/home/admin/backup.tar.gz /home/admin/backups-new-server/

6.- Restaurar todos los archivos.

Si tienes alguna duda con los pasos anteriores, avísame, estaré muy contento de ayudarte… :) un fuerte abrazo y éxitos!

Ok, Below is my case

My Server ports were closed, but i was able to login and use SSH.
So i updated vesta cp and changed ports.
Also activated firewall from digital ocean account.
Checked for Cron jobs didn’t find anything. Found Nothing
Checked /etc/passwd file, make all changes of shell access(Only checked because everything was already in place).
Also monitored
ls /etc/cron.hourly/
ls /lib/
ls /etc/rc.*
ls /etc/systemd/*
Didn’t find anything.

Server is working fine for now but one question is left.
Are these steps are enough?

This is simply unacceptable. I understand you have to make sure everyone’s Droplets are safe however I had changed the default port and made sure users require a login via .htaccess BEFORE ever reaching the login page of VestaCP. I was safe, however you shutdown my droplet TWO DAYS IN A ROW. This has made me lose $125 while the droplets were offline so far. You guys need to understand that I use VestaCP because I do not need cPanel, and I can’t put my droplet back online until you guys allow VestaCP again meaning this could be upwards of 1-4 Weeks! I’ll be losing money and having to pay refunds to over 10,000 people due to this. I am putting my droplet back online right now and if you take it down you will be getting an email to your legal department. Thank you.

“Additionally, we have disabled networking on all Droplets suspected of running this software in an attempt to avoid a potential compromise or to prevent abusive traffic from being sent from these Droplets”

“How can I check if my Droplet was compromised? Check all cron jobs on your machine for malicious activity. ”

How can I do that with networking blocked? I have a root login disabled with ssh key access only!

Please check the support ticket. Need to get reply asap.

Only one of my 4 droplets is down for this problem, i want restore online, how have to do? I don’t have time, my customer in impatient.

Taking down droplets that have not been compromised but which are running VestaCP is an absurd over-reaction on DigitalOcean’s part. Is DigitalOcean allowed under the Terms of Service to disable networking when a Droplet is not compromised?

We just need to make backup of database! How to do it ASAP!!

Reply to my ticket (Ticket #1446190 )

Hi there, how can i enable networking for my droplet ? even if i want to change vestacp to another software i need to access my droplet.
I have no any ability to show my users any message :/
I scan my droplets(as you write ) and there was no any vulnerability.
I also open ticket but still no answer .

Hello, can you please turn networking back on for my droplet. VestaCP has launched an update I want to install that should patch this vulnerability for unaffected servers like mine. I also put in a droplet firewall to block all non acceptable ports. I have also checked all the cron folders and crontab nothing matched the vulnerabilities and that other lib file doesn’t exist. I’ve had a Ticket for several hours yet no response as of yet(#1446345). I spun up a new droplet as per instructions but had no way of accessing the backups since networking was taken down. I then shutdown my droplet to copy my backups and then I’m now trying to get my droplet back to running(It is stuck in recovery mode). I also am not happy to have to pay for not only these outages but the time wasted with the extra droplet I spun up without any way to setup a new instance due to no backups(I’m turning on Digital Ocean Droplet backups going forward). I also would like to get my site back online promptly. Thank You. I need to know whether you can help me quickly or whether I need to rebuild my server and wait for DNS to propagate.

I’m going to create a new drop, can I do this with vestacp?
Correction pacode is already available.

Hello.

I’m part of a team and one Droplet is currently offline despite NOT being compromised and already PATCHED.

I opened a ticket (1446281) HOURS ago and it has no replies.

Related to this, I have two droplets, I have disabled VestaCP and I’m waiting on you to restart the affected droplets with networking and the previous kernel.

Ticket #1446891

If you’re wondering how to disable VestaCP, install the rcconf and scroll down until you find vesta and disable it.

apt install rcconf -y
rcconf # opens a cli app

Check for any suspicious cron files

including the ones stored in /etc/crontab
and by listing the root jobs crontab -l root

Hi there,

I have check and gone through all the necessary steps and can rest assured it is not compromise. There is no such file gcc.sh was found in /etc/cron.hourly/gcc.sh and no such file libudev.so in /lib/ path.

I have taken measure to change the vestacp login port from 8083 to 56000.

All the above mention can check in my support ticket as there are screenshot proof for it.

For the moment i have stop the vesta service until it is patch and secure but i could not do so as there is no internet to from the droplet.

There is already a patch release which can be found here:

[https://lowendtalk.com/discussion/141728/vestacp-possibly-hit-with-zeroday-exploit-patch-released](http://)

but i could not do so as mention no internet connection from the droplet.

Please reply to my ticket [Ticket #1446648] as soon as possible.

Thank You

You guys mentioned that TCP/8083 got blocked for the SFO2 region.

Today I was unable to login to Vesta CP through port 8083 and my droplet is in SF01. Did you guys also block 8083 for SF01 region? Today I did apt-get update and I noticed that there was an update for Vesta CP, so I want to know if the Control Panel stopped being accessible to me due to the update or because you guys blocked port 8083 for SF01 droplets. Thank you!

Hi there

Can you help me to turn networking back on for my droplet to take action and fix this problem?

Ticket #1447067

Hi Can you please take a look at 1446838

Still waiting for response 1446685 it’s been 6 hours since my server had vestacp stoped, antivirus verified, ports and firewall changed and email responded.

My ticket #1447361
The temporal solution is turn off the vesta service (sudo service vesta stop)
My droplet was not compromised.
Please, turn networking back on my droplet.

Ticket #1447097
I had already set up my vestacp so only I could access it. I verified that my droplet was not compromised and fired off a ticket. My vesta cp port was also changed. No response as of yet. Please, turn networking back on my droplet.

Till what time 8083 port will be blocked?? This is weird way of resolving issues by blocking a specific port across all infrastructure.

There can be other applications which are running on 8083 port and you guys made them stopped.

1445131

I have like 7 droplets and like 30-40-something websites running under vestacp on all droplets! only 1 droplet so far has been shut-off that was hosting 2 websites.

Are you guys telling me that you are going to shut-off those 30-40 websites sooner or later???? This is a total painnnnnnn in the ash if my option is migrating for immediate traffic recovery! Do you have a fix for this??????

Hi guys,

In this night, suddenly, my websites goes down, but my droplet don’t. So I entered in the server via SSH in my console and then show me that:

“DigitalOcean Recovery Environment 17.04.1”

So I enter here and see this huge problem with VestaCP, and my server is running in VestaCP, so I think that is the problem, but I don’t know what to do.

I just use VestaCP to manage all sites and databases in one place, i dont use than to log in the control panel. ALL my web pages are offline and I need to going back all immediatly.

Please take a look at Ticket #1446953

Hey Guys!

I followed instructions to checking and deleting the vulnerable files. I have also disabled vesta service. Vesta team has also released the security patch. I can’t install the patch without the internet connection.

You guys please activate networking so that I can install the patch. And I am saying it again that I have disabled the vesta service. I also have changed the default vesta port from 8083 to something else. Please do it otherwise it’s a loss every day like everyone else.

https://forum.vestacp.com/viewtopic.php?f=25&t=16575

The ticket I have raised - #1447354

Hey there!
Please!!!

1447790

vestacp release a patch, but i can’t apply with no connection…

HELP PLEASE!

Hello DO team,

I use vestacp and my droplet seems like got compromised.
I have checked there are gcc.sh and livudev.so.
Anybody here can pointed me out how to clean this step by step?
There is a huge long thread on vestacp forum that make difficulty to summarized a simple step by step to handle this situation.
I try to clone the droplet and immediately got another take down.
My ticket number:
first droplet : #1444597
second droplet: #1446615

Thanks in advance.

My droplet was taken down for this issue. Now I wasn’t able to access my files to do necessary backups in order to move to another droplet. I can’t SSH and I can’t use the web console either (no access to existing files). How do I move my existing files.

How do I back up and move my existing files to a new droplet?

Please help with tieckt #1447622 ASAP!

Thanks!

I have received an email from DigitalOcean saying “Because your Droplet may have been compromised, you’ll need to back up your data and transfer it to a new Droplet. We have a recovery tool to assist you…”

I have two questions regarding this:

1) Where to find and how to use the recovery tool mentioned in the email?

2) The email suggests I move my files to a new droplet. But do I need to install VestaCP first on the new droplet and I should start with a blank droplet?

Thanks!

VestaCP: The fix has been released just now!

You can check here: https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=260#p68893

I have already changed the default port. Now my droplet needs connectivity on the network. Please see my ticket #1444662. Thank you.

Hi,
how can I download files (eg. data base dump) from my server to my PC (Windows 7) using DO console (can’t use FTP clients and PuTTy because you blocked them)?

Please review Ticket #1447360

Like many others, this VestaCP complete network block is impacting many many live users.

Many of my servers have only recovery console available via direct console. This is an issue.

Also, I only use secure SSH (alternate port with key) to access my servers and have no known root password. So for others that do not have recovery console, I cannot access either.

This is 100% downtime on all my droplets.
I can run script to resolve issue across all droplets quickly if networking is reenabled.

Please review Ticket #1447360

Hey,

About 10 hours i am waiting reply about my ticket: #1443782

Please help

8 hours wait here. Droplet checked. No infection. Admin port changed. Htauth set up for admin site. But no way to apply patch without network. Please re-connect me.

1447615

Also unsure why this server was singled out. We’re running 4 vesta servers. None infected. Only this one disabled. Other three patched within minutes. This one … still unable to patch.

Please Helpme Ticket #1449452

Hi, due to time difference (I’m in GMT-3) I see this email monday morning when my customers started yelling me because they can’t use their emails and websites. I don’t need vesta control panel by now, just email and webservers.
I don’t receive answer on my ticket.
Ticket #1449553

Thanks.

Please review Ticket #1447360
I need access to my droplets in order to access data and update.
@ryanpq- Can you help?
@etel- Maybe you too? We need an inside advocate on this.
@jarland

I need help with Ticket #1449474. Please, answer me.

@ryanpq - Are you able to help with this. You’ve always been very helpful to me and others in the past. We have thousands of users impacted and need an advocate.

Please, check mine: #1446775

Please check ticket number 1448697. The response time is awful.

Please check ticket 1443289. Requesting the Recovery Environment

Four of my droplets are reboot and all files deleted, please, attend my ticket #1450226

Help

Please check my ticket [Ticket #1446734]

You systematically removed servers from the network without knowing the root of the issue. VestaCP its self was not the entire issue. Certain programs selected and installed along with Vesta were. You didn’t check if servers were running these programs you just removed paying customers from your network without notice.

We were not compromised and you caused damage. You are still restricting access over an issue that does not affect us.

You will not reply to tickets asking if you plan on removing servers in other locations for the same reasoning.

You have not provided proof that such power was granted in the tos before this event.

Hello.
I checking and deleting the vulnerable files and disabled vesta servise.
Please, turn networking back on my droplets.
My tickets:
1443988
1444356
1443758
1445561
1444295
1445503
1443986
1445408
1444179
1445568
1444180
1444228
1444550
1443958
1444881
1438893
1444417

Hi everyone with this problem TEMP SOLUTION

Change the port by following: Change Port

Then you can access on the new port with no issues (also make sure you update to 0.9.8-20 before changing the port), you can do that with:

Check current version:
v-list-sys-vesta-updates
If not, 0.9.8-20 then run the following from CLI:
v-update-sys-vesta-all
That has the patch for the attack that was launched on Saturday 7th April that caused ports 8083 to be blocked in the first place.

Please answer my ticket #1446734

I need help reactivating my server

Ticket #1447558

guys, one of my expert guy fixed this..

you can contact him to do so..

https://www.fiverr.com/sudolinux

Please answer my ticket #1444482

Since VestaCP release a patch and some of us already applied it. any idea when you will open ports? Or changing port in Vesta is only option we have for now?

Please check ticket #1448499, false disconnect, server was not compromised.

Please answer my ticket #1456045

You just block my panel without any reson by your suspitions?
Guys in DO are you crazy ????
I’ll better switch hosting…

Hi, I disabled VestaCP on my servers. Can I be sure that the servers will continue to work and will not be disabled by you?

Hi,

Please follow the 4 steps below

Firstly list firewall -> v-list-firewall
Change VestaAdmin port -> v-change-firewall-rule 2 ACCEPT 0.0.0.0/0 8888 TCP VestaAdmin
Edit conf file 8083 to 8888 -> sudo nano/usr/local/vesta/nginx/conf/nginx.conf
Restart vesta -> /etc/init.d/vesta restart

hi, please check my ticket. #1447504

Ticket #1444863 continues to go without resolution for three days now.

We have never used VestaCP though we depend specifically on port 8083 being available and open – as believed would be the case when choosing Digital Ocean over a year ago.

It is unbelievable that Digital Ocean has marked the overall incident as “resolved” while paying customers are still experiencing significant downtime as a result…

We are on the same boat. Even today they closed the ticket #1445131 without opening 8083 port. Weird way to resolving things by blocking a port globally.

Moved to Linode, panel and site works excellent, no need to begging weird support to unblock something.
PS. I used DO since 2015 but, no more.

Hi, my droplet was affected by the VestaCP vulnerability. I host several sites on this droplet. I requested to boot it in the recovery tool to download data from it. I did it immediately and completely rebuilt the droplet with a new Debian image. I requested to boot the droplet back to it’s disk, but I get no answer…
So now it is almost 5 days since my droplet is offline and DigitalOcean do not answer on tickets.
I need the same IP address, because many domains are redirected to this IP, which I can not change. So rebuilding the droplet is the only option for me.

I am using DigitalOcean for more than 4 years now, but this failure of support is shocking. Please respond something on my ticket: #1448429

Hello.
I checking and deleting the vulnerable files and disabled vesta servise.
Please, turn networking back on my droplets.
My tickets:
1461992
1455447
1462500
1462122
1461845
1461882
1462015
1445568
1462125
1456021
1462120
1462123
1456046

Hello,
please check my ticket :)

==> Ticket #1474222

Access the VPS via the emergency console.

scan your VPS

clamscan -r -i /

I found the trojan here

/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND

I successfully removed the trojan using the instructions on https://admin-ahead.com/forum/server-security-hardening/unix-trojan-ddos_xor-1-chinese-chicken-multiplatform-dos-botnets-trojan/

reboot your vps

scan your VPS again

clamscan -r -i /

and make sure the cron job has been removed

 ls -la /etc/cron.hourly/

Now that the trojan has been removed. You can request to remove the ban on your VPS network.

How we can send you full details about what exactly happend to VestaCP?
We think there are STILL vulnerable servers on digitalocean, because hole was not at vestacp service.
We found where is it.