Numerous users reported on VestaCP forums that their servers had been compromised.
If you have Vesta Control Panel installed on your server, the Vesta CP teams recommends shutting down the VestaCP process with
service vesta stop or
systemctl stop vesta.
You should also check the /etc/cron.hourly for the presence of a
gcc.sh: it should not be there.
According to skid, part of the VestCP team:
Here is what we know so far:
- The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
- It was an automated hack
- CentOS, Debian, Ubuntu all distros are affected it's platform independent
- We didn't find any traces in vesta and system logs yet
- On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.
If your server with VestaCP got hacked, the VestCP team would very much appreciate an email to email@example.com with your root access credentials to the compromised box(es).
UPDATE: Patch has been released
How to patch your VestaCP installation
1. Via web interface
- Login as admin
- Go to updates tab
- Click un update button under vesta package
2. Via package manager
- SSH as root to your server
- yum update / apt-get update && apt-get upgrade
3. Via Github
- SSH as root
- Install git / yum install git /apt-get install git
- Then run following commands
cd $(mktemp -d) git clone git://github.com/serghey-rodin/vesta.git /bin/cp -rf vesta/* /usr/local/vesta/
Some information about this inc[i]dent. We still don't have working exploit for previous version. But we know for sure that the vector of attack was through a potentially unsecure password check method. Therefore we have completely rewrite password auth function. It's bullet proof now!
Please upgrade your servers as soon as possible.