Take Heed! (VestaCP)

Quote from Devs on forum: All VestaCP installations being attacked - Page 19 - Vesta Control Panel - Forum

@Falzo made the initial discovery it seems. You can see it here: All VestaCP installations being attacked - Page 17 - Vesta Control Panel - Forum

Long story short, VestaCPs repository got hacked and was used as a relay for passwords being sent by an altered script during the install. Make sure to double check that you aren’t on the list.

Also double check to make sure that /usr/bin/dhcprenew doesn’t exist on your server. If it does double check with strings /usr/bin/dhcprenew


1 Like

Just stop using VestaCP at this point, holy shit.

If anyone still goes with VestaCP they surely like to suffer

Sure you can be safe staying at home, but wouldn’t you rather ride on top of an airplane wearing a ski mask and a man thong while flipping the world the bird?


Thanks for sharing the information. It would be great if VestaCP became a stable and reliable panel. Maybe one day…

Update should be coming out soon. Github has been updated with patches: Commits · serghey-rodin/vesta · GitHub

God damn, this seems to be a never ending cycle. I’m glad I ditched my only Vesta box a while ago.

Looks like I escaped this one. Not going to complain about that. I’ll take wins where I can get 'em. Rather have everyone off the boxes but at this point it’s “You’re welcome to drink the poison, I’ll do my best to stop it from killing you.”

1 Like

Finally the new release is available.
Please update your server as soon as possible.

Release notes for 0.9.8-23

  • Security fix for timing attack on password reset. Thanks to https://arcturussecurity.com
  • Security fix for v-open-fs-config. Its visibility is limited to /etc and /var/lib directories
  • Security check for/usr/bin/dhcprenew binary. If found checker notifies server administrator
  • Security improvement for sudo. It is now limited to vesta scripts only and doesn’t allow admin to execute any other command
  • Security improvement: admin password and database passwords are generated individually
  • Security improvement: new installer doesn’t use c.vestacp.com as source for the configuration files. Configs are bundled inside vesta package
  • Security improvement: installer doesn’t send any information to vestacp.com after successful installation. It used to send distro name for usage statistics.