Got 10 VestaCP servers exploited

[albertus]

Did anyone find how this rootkit made its way into the server?

My affected servers aren't online so I still couldn't log in to investigate the log files.

[sandy]

same here 2 servers are suspended because off ddos. Can't send to vesta team as the servers are in suspend mode



thank god i've backups configured on remote server else you know.

[skid]

Here is what we know so far:
1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it's platform independent
4. We didn't find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.

What you can do:
The best way to stay safe is to temporary disable vesta web service

Code: Select all

service vesta stop

Code: Select all

systemctl disable vesta

or limit access to port 8083 using firewall

What we are doing:
Few users provided us with root access to their servers. We are investigating what happened. We also launched a couple honeypots in order to get full picture of the hack.

[louis]

Hi Everyone,

I also have one of my new server by ovh who is suspended.. I had a two factor auth for every ssh user.

I already stop vesta on my other servers. Maybe you should add a Two factor auth for vesta.

Thanks for your help :)

[sandy]

Here is what we know so far:
1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it's platform independent
4. We didn't find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.

What you can do:
The best way to stay safe is to temporary disable vesta web service

Code: Select all

service vesta stop

Code: Select all

systemctl disable vesta

or limit access to port 8083 using firewall

What we are doing:
Few users provided us with root access to their servers. We are investigating what happened. We also launched a couple honeypots in order to get full picture of the hack.

so what you suggest re-installation of hacked server ?
this is the only way to have clean os. or if you launch security patch this hacks are removed from the server? - i don't think so

[louis]

Sandy in my case, i reinstall my server, i change the vesta port and i stoped the vesta service until any other information.

[sandy]

Yes i know that is the only option, need to confirm from the vesta team, this are the main consequences with open-source projects they always got hacked. If you're going to publicize the source code also ensure security, Since the panel is responsible for controling the server.

[talha]

Obviously need to reinstall OS, but first we need to wait until Vestacp release patch file. -_-

[sandy]

Obviously need to reinstall OS, but first we need to wait until Vestacp release patch file. -_-

think who have 100 of gbs files stored on the server (powered with vesta) and need to reinstall the OS :P god bless them.

[vesta-user]

I think stopping vesta is too much over-reaction!
Just harden the firewall rules (iptables/security group/router/other), netflix and chill.

The reason being vesta's services i.e. HTTP, postfix, etc are more or less not written by Vesta, and are running around the web. The 0-day (if any) might be in vesta related application running on ports like 8083.