Results 1 to 8 of 8
  1. #1
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379

    VestaCP zero-day exploit

    VestaCP's users have detected their servers are being hacked and used in botnets due to a new exploit, verified by VestaCP team members.

    If you are running VestaCP, locate the file /etc/cron.hourly/gcc.sh and if it exists, your server has been compromised, you will need to reinstall the server.

    If it doesn't exist, run the following commands to disable VestaCP:

    service vesta stop
    systemctl stop vesta


    You may also disable access to the port 8083 in your firewall to prevent access to the web interface of the control panel.

    The exploit is thought to be in the API that runs as root and uses an unfiltered password field that can be compromised with malicious code. This hasn't been verified yet.

    Sources and further info:
    https://forum.vestacp.com/viewtopic....art=180#p68752
    https://www.lowendtalk.com/discussio...eroday-exploit
    https://hostballs.com/t/potential-ve...roday-exploit/
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

  2. #2
    Join Date
    Mar 2014
    Location
    United States
    Posts
    206

    Exclamation VestaCP 0-Day Exploit - Patch Released

    A PATCH has been released for this: https://forum.vestacp.com/viewtopic....art=260#p68893

    The fix has been released just now!
    As usually there are 3 ways to update your server:

    1. Via web interface
    - Login as admin
    - Go to updates tab
    - Click un update button under vesta package

    2. Via package manager
    - SSH as root to your server
    - yum update / apt-get update && apt-get upgrade

    3. Via GitHub
    - SSH as root
    - Install git / yum install git /apt-get install git
    - Then run following commands

    Code:
    cd $(mktemp -d)
    git clone git://github.com/serghey-rodin/vesta.git
    /bin/cp -rf vesta/* /usr/local/vesta/
    Some information about this indecent. We still don't have working exploit for previous version. But we know for sure that the vector of attack was through a potentially unsecure password check method. Therefore we have completely rewrite password auth function. It's bullet proof now!

    Please upgrade your servers as soon as possible.
    Quick and Easy Servers - QnEZ - 732-907-9030 - replummer@qnez.net
    DirectAdmin based hosting solutions and Cloud VPS - Registered Softaculous NOC

  3. #3
    Join Date
    Mar 2014
    Location
    United States
    Posts
    206
    If for some reason you can not format/reinstall your server (which is always recommended once exploited) and you are sure you were exploited, there is a thread on SuperUser with info on how to start removing the 10Bit String Trojan that was installed on many servers. https://superuser.com/questions/8778...004724#1004724
    Quick and Easy Servers - QnEZ - 732-907-9030 - replummer@qnez.net
    DirectAdmin based hosting solutions and Cloud VPS - Registered Softaculous NOC

  4. #4
    Join Date
    Feb 2011
    Location
    Thailand
    Posts
    4
    Thank you for this. If you not sure that you infected or not, please look at following location.

    ls /etc/cron.hourly/
    ls /lib/
    ls /etc/rc.*
    ls /etc/systemd/*

  5. #5
    DigitalOcean notified of this. I have a $5 plan with them just for testing and was using VestaCP.
    Really nasty exploit but it was caught quickly. DO blocked VestaCP port almost immediately.
    HostaPolis : Awesome & Affordable hosting plans with 24/7/365 Support

  6. #6
    Join Date
    Mar 2010
    Location
    CMYK-Land
    Posts
    1,400
    Quote Originally Posted by HostaPolis View Post
    DO blocked VestaCP port almost immediately.
    Thats great so we dont have a new version of Kloxo and zero day exploit.
    - I often come to the conclusion that my brain has too many tabs open. -
    Failing at desktop publishing & graphic design since 1994
    .
    Pretty soon we can expect hosting companies offering "double unlimited"
    or
    "not limited unlimited with no limits".

  7. #7
    Join Date
    Mar 2003
    Location
    Canada
    Posts
    9,072
    VestaCP is pretty bad.

    I been hacking on it for the last hour... many vulnerabilities, lol. I will send the details off later to the developers...
    RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca

    www.HostingSecList.com - Security Notices for the Hosting Community.

  8. #8
    Join Date
    Feb 2006
    Location
    Kusadasi, Turkey
    Posts
    3,379
    Quote Originally Posted by Patrick View Post
    VestaCP is pretty bad.

    I been hacking on it for the last hour... many vulnerabilities, lol. I will send the details off later to the developers...
    If you are on the job, the developers will end up quitting with severe depression
    Fraud Record - Stop Fraud Clients, Report Abusive Customers.
    █ Combine your efforts to fight misbehaving clients.

    HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
    █ Large and awesome portfolio, just visit and see!

Similar Threads

  1. Replies: 1
    Last Post: 02-14-2017, 01:56 AM
  2. [URGENT] FreeBSD Zero Day Exploit + Temporary Patch
    By Patrick in forum Hosting Security and Technology
    Replies: 17
    Last Post: 12-03-2009, 09:16 AM
  3. Hackers Selling Vista Zero-Day Exploit
    By cywkevin in forum Web Hosting Lounge
    Replies: 5
    Last Post: 12-19-2006, 05:47 AM
  4. 0-day Exploit for FreeBSD "Abuse" Game (?)
    By Perlboy in forum Hosting Security and Technology
    Replies: 8
    Last Post: 06-19-2003, 06:06 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •