Related

Recovering Files from a Compromised Droplet Question Question
Problem to update php in vestacp Question Question

Question

Solution For DigitalOcean VestaCP Compromise Problem

Posted April 9, 2018 3.2k views
UbuntuControl Panels

Since the recent vestacp breach, I’m guessing that a lot of virtual servers digitalocean wide had a big issue and as of now I checked again, vesta rolled back its releases for Ubuntu 12.04 and 14.04 and we need a good alternative for that. Also I’m a noob server wise so I would be glad rather than reading people ranting about DO or vesta, it would be pretty good to find a quick and efficient solution for the problem at hand. Thank you forwards…

Add a comment
Yigithur
By:
Yigithur
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
2 answers
ryanpq April 9, 2018

Right now it appears that this vulnerability is being exploited only against VestaCP servers using the default ports. Our support team has written this guide on how you can change the ports used. Other users have also reported that when they do not have clients needing to access VestaCP that restricting access to VestaCP to only their IP or only to connects tunneled over SSH also provides protection.

Reply Report
  • elstruck April 9, 2018

    After we change port and clean server, can we get network access back to patch with -20 update? Or are we needing to rebuilt to new droplet? I’m trying new droplet now and looks like vesta repos are blocked, good precaution.

    Reply Report
    • ryanpq April 9, 2018

      That will depend.

      If your droplet was detected as already compromised and part of an attack you will most likely need to back up your files via SFTP (this can be enabled in our recovery environment by our support team) and deploy a clean droplet.

      If your droplet was blocked due to running a vulnerable VestaCP but no outgoing attack was detected your droplet can most likely be brought back online once the vulnerability has been addressed via port blocking or updating Vesta. We would strongly recommend taking a close look at your logs in this instance to be 100% sure your droplet was not compromised.

      Reply Report
      • elstruck April 9, 2018

        Thanks Ryan. Yes port was blocked and I locked all directories that others were getting infected. I checked all logs and saw no signs of intrusion. I cannot update Vesta without network. Please let me know how to proceed.

        Ticket #1447709

        Reply Report
      • blissrob April 9, 2018

        Ryan. I verified no compromise, and made sure all Vesta instances are updated and have port 8083 blocked. I submitted documentation for the cron and lib folders too. Support still hasn’t unblocked my servers and its costing me thousands.
        Can you help. Ticket# 1447360

        Reply Report
      • RichJohn April 9, 2018

        Not sure how to proceed. Can’t install a patch without network access. Changed ports and blocked 8083. Ticket #1451230

        Reply Report
      • jensa April 13, 2018

        Would be awesome if you could manage to alert the server owners when you start blocking traffic?

        I need to attend a client meeting on Monday to explain to them why all their MQTT services on port 8083 (the default port for MQTT over Websockets) stopped working.

        I’ll also try to tell them that DigitalOcean really is a good provider despite forgetting to tell that they block servers on pure random without checking if the compromised VestaCP is even installed… :-(

        Reply Report
hamzatariq380 April 15, 2018

The security vulnerability just secured by all the sites i just switch to Centos Web Panel and this alternative is pretty good as compared to vesta.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help