Solution For DigitalOcean VestaCP Compromise Problem

Question

Since the recent vestacp breach, I’m guessing that a lot of virtual servers digitalocean wide had a big issue and as of now I checked again, vesta rolled back its releases for Ubuntu 12.04 and 14.04 and we need a good alternative for that. Also I’m a noob server wise so I would be glad rather than reading people ranting about DO or vesta, it would be pretty good to find a quick and efficient solution for the problem at hand. Thank you forwards…

Answer 1

ryanpq April 9, 2018

Right now it appears that this vulnerability is being exploited only against VestaCP servers using the default ports. Our support team has written this guide on how you can change the ports used. Other users have also reported that when they do not have clients needing to access VestaCP that restricting access to VestaCP to only their IP or only to connects tunneled over SSH also provides protection.

Reply Report

elstruck April 9, 2018

After we change port and clean server, can we get network access back to patch with -20 update? Or are we needing to rebuilt to new droplet? I’m trying new droplet now and looks like vesta repos are blocked, good precaution.
Reply Report
- ryanpq April 9, 2018
  
  That will depend.
  
  If your droplet was detected as already compromised and part of an attack you will most likely need to back up your files via SFTP (this can be enabled in our recovery environment by our support team) and deploy a clean droplet.
  
  If your droplet was blocked due to running a vulnerable VestaCP but no outgoing attack was detected your droplet can most likely be brought back online once the vulnerability has been addressed via port blocking or updating Vesta. We would strongly recommend taking a close look at your logs in this instance to be 100% sure your droplet was not compromised.
  
  Reply Report
  
  elstruck April 9, 2018
  
  Thanks Ryan. Yes port was blocked and I locked all directories that others were getting infected. I checked all logs and saw no signs of intrusion. I cannot update Vesta without network. Please let me know how to proceed.
  
  Ticket #1447709
  
  Reply Report
  
  blissrob April 9, 2018
  
  Ryan. I verified no compromise, and made sure all Vesta instances are updated and have port 8083 blocked. I submitted documentation for the cron and lib folders too. Support still hasn’t unblocked my servers and its costing me thousands.
  Can you help. Ticket# 1447360
  
  Reply Report
  
  RichJohn April 9, 2018
  
  Not sure how to proceed. Can’t install a patch without network access. Changed ports and blocked 8083. Ticket #1451230
  
  Reply Report
  
  jensa April 13, 2018
  
  Would be awesome if you could manage to alert the server owners when you start blocking traffic?
  
  I need to attend a client meeting on Monday to explain to them why all their MQTT services on port 8083 (the default port for MQTT over Websockets) stopped working.
  
  I’ll also try to tell them that DigitalOcean really is a good provider despite forgetting to tell that they block servers on pure random without checking if the compromised VestaCP is even installed… :-(
  
  Reply Report

Answer 2

elstruck April 9, 2018

After we change port and clean server, can we get network access back to patch with -20 update? Or are we needing to rebuilt to new droplet? I’m trying new droplet now and looks like vesta repos are blocked, good precaution.
Reply Report
- ryanpq April 9, 2018
  
  That will depend.
  
  If your droplet was detected as already compromised and part of an attack you will most likely need to back up your files via SFTP (this can be enabled in our recovery environment by our support team) and deploy a clean droplet.
  
  If your droplet was blocked due to running a vulnerable VestaCP but no outgoing attack was detected your droplet can most likely be brought back online once the vulnerability has been addressed via port blocking or updating Vesta. We would strongly recommend taking a close look at your logs in this instance to be 100% sure your droplet was not compromised.
  
  Reply Report
  
  elstruck April 9, 2018
  
  Thanks Ryan. Yes port was blocked and I locked all directories that others were getting infected. I checked all logs and saw no signs of intrusion. I cannot update Vesta without network. Please let me know how to proceed.
  
  Ticket #1447709
  
  Reply Report
  
  blissrob April 9, 2018
  
  Ryan. I verified no compromise, and made sure all Vesta instances are updated and have port 8083 blocked. I submitted documentation for the cron and lib folders too. Support still hasn’t unblocked my servers and its costing me thousands.
  Can you help. Ticket# 1447360
  
  Reply Report
  
  RichJohn April 9, 2018
  
  Not sure how to proceed. Can’t install a patch without network access. Changed ports and blocked 8083. Ticket #1451230
  
  Reply Report
  
  jensa April 13, 2018
  
  Would be awesome if you could manage to alert the server owners when you start blocking traffic?
  
  I need to attend a client meeting on Monday to explain to them why all their MQTT services on port 8083 (the default port for MQTT over Websockets) stopped working.
  
  I’ll also try to tell them that DigitalOcean really is a good provider despite forgetting to tell that they block servers on pure random without checking if the compromised VestaCP is even installed… :-(
  
  Reply Report

Answer 3

hamzatariq380 April 15, 2018

The security vulnerability just secured by all the sites i just switch to Centos Web Panel and this alternative is pretty good as compared to vesta.

Reply Report

Related

Question

Solution For DigitalOcean VestaCP Compromise Problem

Related

Leave a comment

Looking for something else?

Sign up for our newsletter

Related

Question

Solution For DigitalOcean VestaCP Compromise Problem

Related

Leave a comment

Related

question

Recovering Files from a Compromised Droplet

question

Problem to update php in vestacp

question

can i have plesk and serverpilot running in same droplet?

question

Online Console not working

Looking for something else?