• Skip to main content

WP Republic!

High Profile WordPress Security Services by WP Republic!

  • Blog
  • Malware Removal
  • Fix Request
  • Security Plans
  • About us
    • FAQ
    • Contact
    • Privacy Policy
    • Terms of Service

Apr 08 2018

VestaCP hit by 0-day exploit

It seems that VestaCP has been hit by a 0-day exploit through its API, which allows code to be executed as Root(!!!). Many users reported on VestaCP forums that their hosting accounts were suspended and their servers were compromised.

Exploit makes the hacked server attack a Chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cron.hourly triggering DDoS attacks on other servers.

Deleting the cron or the file loaded through the cron won’t help much in dealing with the issue since the vulnerability is found inside VestaCP. VestaCP recommends to shut down its service with the following commands:

service vesta stop(Debian/Ubuntu)
systemctl stop vesta(Red Hat/Centos)

Once you stop the service, we recommend limiting inbound and outbound access to port 8083.

This DDoS attack has been lurking around for many years, but it has never been noticed exploiting a hosting panel before. Even if VestaCP releases a patch, there is a serious possibility that you will need to re-install your server OS from scratch, so make sure your backups are accessible and current.

This is what VestaCP reported about the exploit:

1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it’s platform independent
4. We didn’t find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.

PS: installing ClamAV would probably warn you about the DDoS attack before having your server network outbound access blocked by your ISP

**UPDATE**

Blesta notified us on April 10th that they have released a security update:

Fixed, update is already available https://t.co/baGkAptxoh

— Vesta Control Panel (@vestacp) April 10, 2018

Written by WP Republic! · Categorized: Blog · Tagged: DDoS trojan, VestaCP, zero-day exploit

SUBSCRIBE TO OUR GOODIES LIST!

Reader Interactions

Comments

  1. Tim Oxendale says

    April 12, 2018 at 11:47 am

    I used VestaCP for a number of years but had a few issues with security, ended up migrating everything over to cPanel/WHM and not had a problem since!

    Reply
    • Gerasimos says

      April 12, 2018 at 12:11 pm

      Hey Tim 🙂
      VestaCP released a security update already so it took them 1-2 days to patch it. In general the less third part tools you’re using to offer a hosting service the better. Are you using CloudLinux as well?

      Reply
      • Tim says

        April 14, 2018 at 2:26 pm

        That’s a lot after than it used to be. Yeah I’m using CloudLinux & KernelCare which has been a real help! Imunify360 is my next step!

        Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

© 2025 · Security Services · WP Republic!
This website is not affiliated with or sponsored by Automattic or the WordPress Open Source project