New Vulnerability in Vesta?

New Vulnerability in Vesta?

Recently, in April 2018, a remote vulnerability was discovered and fixed in the popular control panel Vesta — we wrote about it on our blog. Unfortunately, reports have surfaced of successful hacks and the deployment of mining software on servers running Vesta. We are working to systematize the data available and will provide updates as they become available.

Current Situation

There is ongoing discussion on the official forum, where a user reports suspicious activity with a detailed technical description. Some of our partners are reporting isolated cases of various versions of Vesta being hacked.

Preliminarily, it seems that a vulnerability exists in the current version, allowing remote exploitation. Unlike the previous case, where hacked servers were noticeable due to traffic anomalies from DDoS attacks, the current intruders are running code for mining Monero, making it less detectable.

The Vesta developers are reportedly aware of this issue and we expect additional information soon. In the meantime, we recommend blocking access to Vesta (TCP connection on port 8083) from untrusted IPs. Only trusted addresses, such as your VPN server and home/work IP, should be allowed. It is also crucial to check the existence and relevance of backups of your resources and settings.

Updates

Update 20:45 EEST 24/06/2018: An update for Vesta has been released that includes changes to the authorization procedure. The code can be found on GitHub. We recommend updating the Vesta panel to version 0.9.8-22 as soon as possible using the command v-update-sys-vesta-all.

We hope to provide more information regarding this incident soon. Stay tuned for updates.