Results 1 to 8 of 8
Thread: VestaCP zero-day exploit
-
04-08-2018, 12:10 PM #1Web Hosting Master
- Join Date
- Feb 2006
- Location
- Kusadasi, Turkey
- Posts
- 3,379
VestaCP zero-day exploit
VestaCP's users have detected their servers are being hacked and used in botnets due to a new exploit, verified by VestaCP team members.
If you are running VestaCP, locate the file /etc/cron.hourly/gcc.sh and if it exists, your server has been compromised, you will need to reinstall the server.
If it doesn't exist, run the following commands to disable VestaCP:
service vesta stop
systemctl stop vesta
You may also disable access to the port 8083 in your firewall to prevent access to the web interface of the control panel.
The exploit is thought to be in the API that runs as root and uses an unfiltered password field that can be compromised with malicious code. This hasn't been verified yet.
Sources and further info:
https://forum.vestacp.com/viewtopic....art=180#p68752
https://www.lowendtalk.com/discussio...eroday-exploit
https://hostballs.com/t/potential-ve...roday-exploit/█ Fraud Record - Stop Fraud Clients, Report Abusive Customers.
█ Combine your efforts to fight misbehaving clients.
█ HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
█ Large and awesome portfolio, just visit and see!
-
04-09-2018, 12:05 AM #2Junior Guru
- Join Date
- Mar 2014
- Location
- United States
- Posts
- 206
VestaCP 0-Day Exploit - Patch Released
A PATCH has been released for this: https://forum.vestacp.com/viewtopic....art=260#p68893
The fix has been released just now!
As usually there are 3 ways to update your server:
1. Via web interface
- Login as admin
- Go to updates tab
- Click un update button under vesta package
2. Via package manager
- SSH as root to your server
- yum update / apt-get update && apt-get upgrade
3. Via GitHub
- SSH as root
- Install git / yum install git /apt-get install git
- Then run following commands
Code:cd $(mktemp -d) git clone git://github.com/serghey-rodin/vesta.git /bin/cp -rf vesta/* /usr/local/vesta/
Please upgrade your servers as soon as possible.Quick and Easy Servers - QnEZ - 732-907-9030 - replummer@qnez.net
DirectAdmin based hosting solutions and Cloud VPS - Registered Softaculous NOC
-
04-09-2018, 12:23 AM #3Junior Guru
- Join Date
- Mar 2014
- Location
- United States
- Posts
- 206
If for some reason you can not format/reinstall your server (which is always recommended once exploited) and you are sure you were exploited, there is a thread on SuperUser with info on how to start removing the 10Bit String Trojan that was installed on many servers. https://superuser.com/questions/8778...004724#1004724
Quick and Easy Servers - QnEZ - 732-907-9030 - replummer@qnez.net
DirectAdmin based hosting solutions and Cloud VPS - Registered Softaculous NOC
-
04-10-2018, 06:49 PM #4New Member
- Join Date
- Feb 2011
- Location
- Thailand
- Posts
- 4
Thank you for this. If you not sure that you infected or not, please look at following location.
ls /etc/cron.hourly/
ls /lib/
ls /etc/rc.*
ls /etc/systemd/*
-
04-10-2018, 09:22 PM #5Junior Guru
- Join Date
- Mar 2017
- Posts
- 191
DigitalOcean notified of this. I have a $5 plan with them just for testing and was using VestaCP.
Really nasty exploit but it was caught quickly. DO blocked VestaCP port almost immediately.HostaPolis : Awesome & Affordable hosting plans with 24/7/365 Support
-
04-11-2018, 12:31 AM #6Caffeine addict
- Join Date
- Mar 2010
- Location
- CMYK-Land
- Posts
- 1,400
- I often come to the conclusion that my brain has too many tabs open. -
Failing at desktop publishing & graphic design since 1994.
Pretty soon we can expect hosting companies offering "double unlimited"
or "not limited unlimited with no limits".
-
04-11-2018, 09:07 PM #7Web Hosting Master
- Join Date
- Mar 2003
- Location
- Canada
- Posts
- 9,072
VestaCP is pretty bad.
I been hacking on it for the last hour... many vulnerabilities, lol. I will send the details off later to the developers...RACK911 Labs | Penetration Testing | https://www.RACK911Labs.ca
www.HostingSecList.com - Security Notices for the Hosting Community.
-
04-12-2018, 07:26 AM #8Web Hosting Master
- Join Date
- Feb 2006
- Location
- Kusadasi, Turkey
- Posts
- 3,379
█ Fraud Record - Stop Fraud Clients, Report Abusive Customers.
█ Combine your efforts to fight misbehaving clients.
█ HarzemDesign - Highest quality, well designed and carefully coded hosting designs. Not cheap though.
█ Large and awesome portfolio, just visit and see!
Similar Threads
-
Zero-Day DDoS Exploit results in BSOD. (Windows, Windows Server 2012 R2, Port 139)
By Swiftnode in forum VulnerabilitiesReplies: 1Last Post: 02-14-2017, 01:56 AM -
[URGENT] FreeBSD Zero Day Exploit + Temporary Patch
By Patrick in forum Hosting Security and TechnologyReplies: 17Last Post: 12-03-2009, 09:16 AM -
Hackers Selling Vista Zero-Day Exploit
By cywkevin in forum Web Hosting LoungeReplies: 5Last Post: 12-19-2006, 05:47 AM -
0-day Exploit for FreeBSD "Abuse" Game (?)
By Perlboy in forum Hosting Security and TechnologyReplies: 8Last Post: 06-19-2003, 06:06 PM