VestaCP hit with zeroday exploit [May 19 Security Update]
Lots of users on the forum reporting their boxes were hacked. VestaCP team members suggest shutting down the vesta service on your box until they can figure it out and release a patch.
https://forum.vestacp.com/viewtopic.php?f=10&t=16556
Double check your /etc/cron.hourly folder for a file named gcc.sh - you don't want to see that file there.
None of my boxes seem to be impacted, but disable the vesta service:
service vesta stop / systemctl stop vesta
And make sure your admin panel (:8083) isn't loading. Better to be safe than sorry.
April 10 Update: Unclear if patch resolved the exploit. VestaCP team has not produced confirmed details on the attack vector and have not been able to reproduce the attack. Harden your VestaCP installs by keeping the vesta service offline and/or locking down admin ports in firewall.
Patch Release!
Patch was just released, hard to tell if this is the final fix though:
https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=260#p68893
The fix has been released just now!
As usually there are 3 ways to update your server:1 Via web interface
- Login as admin
- Go to updates tab
- Click un update button under vesta package
2 Via package manager
- SSH as root to your server
- yum update / apt-get update && apt-get upgrade
3 Via GitHub
- SSH as root
- Install git / yum install git /apt-get install git
- Then run following commands
>
cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
/bin/cp -rf vesta/* /usr/local/vesta/Some information about this indecent. We still don't have working exploit for previous version. But we know for sure that the vector of attack was through a potentially unsecure password check method. Therefore we have completely rewrite password auth function. It's bullet proof now!
Please upgrade your servers as soon as possible.
Comments
Stickying this for the time being. Hosts and users alike, do you part to secure your machines.
Tagged on a quick edit. Look for a gcc.sh file in your cron folders, specifically cron.hourly.
Definitely disable the vesta service to cover your ass.
How long until the 'I'm losing MILLIONS every hour because of Vesta' posts?
I'm losing MILLIONS every hour because of Vesta.
Vesta plans, on pause.
I'm losing MILLIONS every hour because of someone posting "I'm losing MILLIONS every hour because of Vesta"
I'm losing MILLIONS every hour because of someone posting "I'm losing MILLIONS every hour because of someone posting "I'm losing MILLIONS every hour because of Vesta""
Anti-Hack worked quickly and immediately.
But VPS immediately went to SUSPENSION.
The servers are in rescue-pro.
IP is just blocked by anti-hack.
My Vesta box was hit this morning. Not what I wanted to spend my Saturday on but I ended up migrating to a fully self-setup stack... with Vesta's glacial update pace (one single update in the entirety of 2017!) I wouldn't expect a quick fix.
I didn't get hit. Maybe becouse I'm not running on their standard ports. I shutdown Vesta altogther to be sure. Curious to see what they find. Thanks for letting us know.
Good thing I don't use any panels :^)
Non-standard ports sounds like a good move in general. One box I have admin & FTP ports locked down to my IPs as well. Disabled the panel completely for good measure though.
Disabled Vesta service on our shared hosting until this is fixed. Thanks.
Well, what a shame. Hopefully nobody leaked anything important with this zero day exploit. Stick to cPanel or straight vanilla/console.
some of my friends using vestacp because easiest to manage, i'll notice it. thanks
They'll probably put some effort in fixing this bug in a reasonable timeframe. If they don't I'll move away from them as well. Free or not, there's no use in having panel when the authors themselves advise you to disable it
Update from one of the VestaCP team members: https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=60#p68594
what a nightmare
PS @harambe: can't tell you how grateful I am for you posting this here, helped me contain it quickly a lot!!
I am about investigating from my end as much as possible as I had two infected boxes too. will write an update once I find more information (if any)
if you see the gcc.sh note the timestamp and check for files with the same timestamp or changed from then.
the binary also might be found in /lib/libudev.so instead of /usr/lib/libudev.so
it seems like it takes a while for the hack to spread into the system. on a second VM I also found modified /etc/crontab and a file in /etc/init.d and /usr/bin , which were not there for the former VM. so make sure to check closely.
still can't tell how they got in, but from the looks of it, it has to be the separate vesta-service (nginx/php-fpm) itself, maybe an API call?
I was also using it because it
iswas easy to manage.Just basic setup, no real site and I still lost millions.
Anyway @Harambe thanks for posting this.
It often seems that people choose cPanel if they want to pay, otherwise they choose Vesta, often saying that it's not so great (by the way, does Vesta support IPv6 yet?). Just curious: why not choose one of the other (good) free panels instead of Vesta, such as Froxlor or Webmin/Virtualmin or CentOS Web Panel?
(I don't have a lot of experience with different panels.)
I'd say it comes down to preferences. Vestacp offers easy installation/customisation/configuration and security issues can be found in any panel. Many people do use other panels especially virtualmin.
No worries man. Figured more than a few folks here also use VestaCP, don't want anyone getting pwned if it can be prevented.
Also: to anyone who was infected, please consider joining the vesta forum and helping the devs get to the bottom of this. They've had a couple releases in the past few months, which is a nice change after a year w/o a release, and seem keen on getting this fixed.
So if you have any info to contribute or can give them access to a pwned install, please consider sharing it directly.
Found 'em, on the VestaCP forum thread
What would be the criteria for choosing one?
Anyone can do a simple search for vulnerabilities and land on something like this:
Webmin has the most. So how do you decide then?
Okay, fine, if those pages are taken as definitive, then Vesta has only ever had one security vulnerability until now, so I guess that on that basis, I would choose it as well.
This from two years ago:
https://stackoverflow.com/questions/36623596/is-this-file-gcc-sh-in-cron-hourly-malware
I wonder whether it's related.
Yep, they're using a variant of Xor DDoS - https://en.wikipedia.org/wiki/Xor_DDoS
Not sure about taking them as definitive but I was just asking how to know which panel is good and which is not?
Only have one VestaCP box and its 8083 port is closed off in the firewall... but this is somewhat concerning, so I stopped the entire vesta service as recommended. Thanks for sharing.
Of course, I wasn't entirely serious about "definitive", but the number of (discovered) security vulnerabilities could be used as a criterion for choosing between the free panels (why not?). :-) This said, I find it hard to believe that Vesta has only had one security vulnerability until now ...