We have recently been made aware of a VestaCP serious vulnerability. It is being used to gain root access to servers running this software. Then they are being used to perform a DoS attack to remote servers by sending large amounts of traffic.
VestaCP has already acknowledged the issue: https://forum.vestacp.com/viewtopic.php?p=68594#p68594.
They have also released a fix, but neither they nor we are sure that this is the final fix for the issue. https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=260#p68893.
How can you check if your server was compromised?
Check all cron jobs on your machine for malicious activity. Specifically, check the contents of the /etc/cron.hourly/ directory. You are looking for a file “gcc.sh”. It should NOT be present. If it’s then your server is probably infected. Backup your data and reinstall or send details to email@example.com to help them debug the issue further.
Install an antivirus software, run a scan and then check for any results similar to:
/lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND
The malicious file could be anything. We recommend ClamAV, but you can scan with any antivirus for Linux servers.
For ClamAV, once installed, the command to check the whole server would be: “clamscan -r -i /”. This will perfom a full scan of the whole server, so it may take a while. Please note that if you have any files over 20 MB, it will not scan them by default. You can get a few examples on using ClamAV from this thread: https://askubuntu.com/questions/250290/how-do-i-scan-for-viruses-with-clamav.
By default, as we said ClamAV will not scan files larger than 20Mb. In order to override that setting the options --max-filesize=2000M --max-scansize=2000M must be appended to the command. Where the size 2000M may be replaced as necessary by the user. An example is provided bellow.
$ clamscan --max-filesize=2000M --max-scansize=2000M -r -i /
What you can do to be 100% safe right now?
We recommend shutting down the Vesta Service:
$ service vesta stop
$ systemctl stop vesta
The rest of the services on your box will continue to work normally. Once we’re sure the patch is final, we will post updates on our annoucements page: https://vikinglayer.com/clients/announcements.
You can also restrict inbound access to port 8083 with firewall rules on your server, or change VestaCP port to reduce the potential of a hacker gaining access.
We have already shutdown the Vesta service on all our instances including our VestaCP shared hosting. We extremely recommend you to do the same if you are running VestaCP on your server. If you have any questions regarding this, do not hesitate to open a ticket.
Monday, April 9, 2018