It seems that VestaCP has been hit by a 0-day exploit through its API, which allows code to be executed as Root(!!!). Many users reported on VestaCP forums that their hosting accounts were suspended and their servers were compromised.
Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cron.hourly triggering DDoS attacks to other servers.
Deleting the cron or the file loaded through the cron won’t help much dealing with issue since the vulnerability is found inside VestaCP. VestaCP recommends to shut down its service with the following commands:
service vesta stop(Debian/Ubuntu)
systemctl stop vesta(Red Hat/Centos)
Once you stop the service we recommend to limit inbound and outbound access to port 8083.
This DDoS attack has been lurking around for many years but it has never been noticed exploiting a hosting panel before. Even if VestaCP releases a patch there is a serious possibility that you will need to re-install your server OS from scratch so make sure your backups are accessible and current.
1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it’s platform independent
4. We didn’t find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.
ps: installing ClamAV would probably warn you about the DDoS attack before having your server network outbound access blocked by your ISP
Blesta notified us on April 10th that they have released a security update:
Fixed, update is already availablehttps://t.co/baGkAptxoh
— Vesta Control Panel (@vestacp) April 10, 2018