VestaCP hit by 0-day exploit

It seems that VestaCP has been hit by a 0-day exploit through its API, which allows code to be executed as Root(!!!). Many users reported on VestaCP forums that their hosting accounts were suspended and their servers were compromised.

Exploit makes the hacked server attack a Chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cron.hourly triggering DDoS attacks on other servers.

Deleting the cron or the file loaded through the cron won’t help much in dealing with the issue since the vulnerability is found inside VestaCP. VestaCP recommends to shut down its service with the following commands:

service vesta stop(Debian/Ubuntu)
systemctl stop vesta(Red Hat/Centos)

Once you stop the service, we recommend limiting inbound and outbound access to port 8083.

This DDoS attack has been lurking around for many years, but it has never been noticed exploiting a hosting panel before. Even if VestaCP releases a patch, there is a serious possibility that you will need to re-install your server OS from scratch, so make sure your backups are accessible and current.

This is what VestaCP reported about the exploit:

1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it’s platform independent
4. We didn’t find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.

PS: installing ClamAV would probably warn you about the DDoS attack before having your server network outbound access blocked by your ISP

**UPDATE**
Blesta notified us on April 10th that they have released a security update:

Fixed, update is already available https://t.co/baGkAptxoh

— Vesta Control Panel (@vestacp) April 10, 2018