Live Updating: VestaCP reportedly hit with a zeroday exploit.

0
475

Hi,

VestaCP reportedly hit with a zeroday exploit. VestaCP is one of the most popular web hosting control panel.


Lots of users at the official Vestacp forum reporting their VestaCP installs were hacked. VestaCP team members suggest shutting down the vesta service on your box until they can figure it out and release a patch.

Here is what have been found so far


1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh

2. It was an automated hack

3. The attack was platform independent.

4. VestaCP team didn’t find any traces in vesta and system logs yet

5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.
Well, Good news for you ✅
On 8th April, VestaCP’s team has announced a patch which needs to be applied so you can use the VestaCP admin panel (:8083)
To apply the patch, follow these steps



1. Log in as root to your server


2. Run the relevant OS update command


3. Once the update completes, run: v-update-sys-vesta-all


4. Enable the VestaCP service on boot


(Old information) Temporary solution until VestaCP releases a patch
Carry out the following commands on your VestaCP VM to temporarily patch the issue as reported by the VestaCP team

[#] cd /etc/cron.hourly
[#] rm -rf gcc.sh
[#] systemctl stop vesta && systemctl disable vesta

Make sure the VestaCP panel doesn’t start on boot (the last command does that on Cent OS7) and make sure your admin panel (:8083) isn’t loading. Better to be safe than sorry.

We will inform you as we have more information from them so you can start your VestaCP panels back.

Thank you, for now, I’ll keep you posted as I have more information.