Solution For DigitalOcean VestaCP Compromise Problem

April 9, 2018 2.3k views
Control Panels Ubuntu
Yigithur
By:
Yigithur

Since the recent vestacp breach, I'm guessing that a lot of virtual servers digitalocean wide had a big issue and as of now I checked again, vesta rolled back its releases for Ubuntu 12.04 and 14.04 and we need a good alternative for that. Also I'm a noob server wise so I would be glad rather than reading people ranting about DO or vesta, it would be pretty good to find a quick and efficient solution for the problem at hand. Thank you forwards...

Log In to Comment
2 Answers
ryanpq MOD April 9, 2018

Right now it appears that this vulnerability is being exploited only against VestaCP servers using the default ports. Our support team has written this guide on how you can change the ports used. Other users have also reported that when they do not have clients needing to access VestaCP that restricting access to VestaCP to only their IP or only to connects tunneled over SSH also provides protection.

Reply
  • elstruck April 9, 2018

    After we change port and clean server, can we get network access back to patch with -20 update? Or are we needing to rebuilt to new droplet? I'm trying new droplet now and looks like vesta repos are blocked, good precaution.

    • ryanpq MOD April 9, 2018

      That will depend.

      If your droplet was detected as already compromised and part of an attack you will most likely need to back up your files via SFTP (this can be enabled in our recovery environment by our support team) and deploy a clean droplet.

      If your droplet was blocked due to running a vulnerable VestaCP but no outgoing attack was detected your droplet can most likely be brought back online once the vulnerability has been addressed via port blocking or updating Vesta. We would strongly recommend taking a close look at your logs in this instance to be 100% sure your droplet was not compromised.

      • elstruck April 9, 2018

        Thanks Ryan. Yes port was blocked and I locked all directories that others were getting infected. I checked all logs and saw no signs of intrusion. I cannot update Vesta without network. Please let me know how to proceed.

        Ticket #1447709

      • blissrob April 9, 2018

        Ryan. I verified no compromise, and made sure all Vesta instances are updated and have port 8083 blocked. I submitted documentation for the cron and lib folders too. Support still hasn't unblocked my servers and its costing me thousands.
        Can you help. Ticket# 1447360

      • RichJohn April 9, 2018

        Not sure how to proceed. Can't install a patch without network access. Changed ports and blocked 8083. Ticket #1451230

      • jensa April 13, 2018

        Would be awesome if you could manage to alert the server owners when you start blocking traffic?

        I need to attend a client meeting on Monday to explain to them why all their MQTT services on port 8083 (the default port for MQTT over Websockets) stopped working.

        I'll also try to tell them that DigitalOcean really is a good provider despite forgetting to tell that they block servers on pure random without checking if the compromised VestaCP is even installed... :-(

hamzatariq380 April 15, 2018

The security vulnerability just secured by all the sites i just switch to Centos Web Panel and this alternative is pretty good as compared to vesta.

Reply
Have another answer? Share your knowledge.

Related Questions