VestaCP hit with zeroday exploit [Patch Released, Unclear If Resolved]
Lots of users on the forum reporting their boxes were hacked. VestaCP team members suggest shutting down the vesta service on your box until they can figure it out and release a patch.
Double check your /etc/cron.hourly folder for a file named
gcc.sh - you don't want to see that file there.
None of my boxes seem to be impacted, but disable the vesta service:
service vesta stop /
systemctl stop vesta
And make sure your admin panel (:8083) isn't loading. Better to be safe than sorry.
April 10 Update: Unclear if patch resolved the exploit. VestaCP team has not produced confirmed details on the attack vector and have not been able to reproduce the attack. Harden your VestaCP installs by keeping the vesta service offline and/or locking down admin ports in firewall.
Patch was just released, hard to tell if this is the final fix though:
The fix has been released just now!
As usually there are 3 ways to update your server:
1 Via web interface
- Login as admin
- Go to updates tab
- Click un update button under vesta package
2 Via package manager
- SSH as root to your server
- yum update / apt-get update && apt-get upgrade
3 Via GitHub
- SSH as root
- Install git / yum install git /apt-get install git
- Then run following commands
cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
/bin/cp -rf vesta/* /usr/local/vesta/
Some information about this indecent. We still don't have working exploit for previous version. But we know for sure that the vector of attack was through a potentially unsecure password check method. Therefore we have completely rewrite password auth function. It's bullet proof now!
Please upgrade your servers as soon as possible.