Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


VestaCP hit with zeroday exploit [May 19 Security Update]
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

VestaCP hit with zeroday exploit [May 19 Security Update]

HarambeHarambe Member, Host Rep
edited May 2018 in General

Lots of users on the forum reporting their boxes were hacked. VestaCP team members suggest shutting down the vesta service on your box until they can figure it out and release a patch.

https://forum.vestacp.com/viewtopic.php?f=10&t=16556

Double check your /etc/cron.hourly folder for a file named gcc.sh - you don't want to see that file there.

None of my boxes seem to be impacted, but disable the vesta service:

service vesta stop / systemctl stop vesta

And make sure your admin panel (:8083) isn't loading. Better to be safe than sorry.

April 10 Update: Unclear if patch resolved the exploit. VestaCP team has not produced confirmed details on the attack vector and have not been able to reproduce the attack. Harden your VestaCP installs by keeping the vesta service offline and/or locking down admin ports in firewall.


Patch Release!

Patch was just released, hard to tell if this is the final fix though:

https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=260#p68893

The fix has been released just now!
As usually there are 3 ways to update your server:

1 Via web interface

  • Login as admin
  • Go to updates tab
  • Click un update button under vesta package

2 Via package manager

  • SSH as root to your server
  • yum update / apt-get update && apt-get upgrade

3 Via GitHub

  • SSH as root
  • Install git / yum install git /apt-get install git
  • Then run following commands

>

cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
/bin/cp -rf vesta/* /usr/local/vesta/

Some information about this indecent. We still don't have working exploit for previous version. But we know for sure that the vector of attack was through a potentially unsecure password check method. Therefore we have completely rewrite password auth function. It's bullet proof now!

Please upgrade your servers as soon as possible.

«13456711

Comments

  • MasonRMasonR Community Contributor

    Stickying this for the time being. Hosts and users alike, do you part to secure your machines.

  • HarambeHarambe Member, Host Rep

    Tagged on a quick edit. Look for a gcc.sh file in your cron folders, specifically cron.hourly.

    Definitely disable the vesta service to cover your ass.

  • How long until the 'I'm losing MILLIONS every hour because of Vesta' posts?

  • I'm losing MILLIONS every hour because of Vesta.

  • Vesta plans, on pause.

  • @austenite said:
    How long until the 'I'm losing MILLIONS every hour because of Vesta' posts?

    I'm losing MILLIONS every hour because of someone posting "I'm losing MILLIONS every hour because of Vesta"

    Thanked by 1austenite
  • I'm losing MILLIONS every hour because of someone posting "I'm losing MILLIONS every hour because of someone posting "I'm losing MILLIONS every hour because of Vesta""

  • Vova1234Vova1234 Member, Patron Provider
    edited April 2018

    Anti-Hack worked quickly and immediately.

    But VPS immediately went to SUSPENSION.

    The servers are in rescue-pro.

    IP is just blocked by anti-hack.

  • DylanDylan Member
    edited April 2018

    My Vesta box was hit this morning. Not what I wanted to spend my Saturday on but I ended up migrating to a fully self-setup stack... with Vesta's glacial update pace (one single update in the entirety of 2017!) I wouldn't expect a quick fix.

  • SaragoldfarbSaragoldfarb Member
    edited April 2018

    I didn't get hit. Maybe becouse I'm not running on their standard ports. I shutdown Vesta altogther to be sure. Curious to see what they find. Thanks for letting us know.

  • Good thing I don't use any panels :^)

    Thanked by 1ariq01
  • HarambeHarambe Member, Host Rep

    @Saragoldfarb said:
    I didn't get hit. Maybe becouse I'm not running on their standard ports. I shutdown Vesta altogther to be sure. Curious to see what they find. Thanks for letting us know.

    Non-standard ports sounds like a good move in general. One box I have admin & FTP ports locked down to my IPs as well. Disabled the panel completely for good measure though.

    Thanked by 1Saragoldfarb
  • RadiRadi Host Rep, Veteran

    Disabled Vesta service on our shared hosting until this is fixed. Thanks.

  • HxxxHxxx Member

    Well, what a shame. Hopefully nobody leaked anything important with this zero day exploit. Stick to cPanel or straight vanilla/console.

  • some of my friends using vestacp because easiest to manage, i'll notice it. thanks

  • @Dylan said:
    My Vesta box was hit this morning. Not what I wanted to spend my Saturday on but I ended up migrating to a fully self-setup stack... with Vesta's glacial update pace (one single update in the entirety of 2017!) I wouldn't expect a quick fix.

    They'll probably put some effort in fixing this bug in a reasonable timeframe. If they don't I'll move away from them as well. Free or not, there's no use in having panel when the authors themselves advise you to disable it :)

  • HarambeHarambe Member, Host Rep
    edited April 2018

    Update from one of the VestaCP team members: https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=60#p68594

    Here is what we know so far:
    1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
    2. It was an automated hack
    3. CentOS, Debian, Ubuntu all distros are affected it's platform independent
    4. We didn't find any traces in vesta and system logs yet
    5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.

    What you can do:
    The best way to stay safe is to temporary disable vesta web service

    service vesta stop

    systemctl disable vesta

    or limit access to port 8083 using firewall

    What we are doing:
    Few users provided us with root access to their servers. We are investigating what happened. We also launched a couple honeypots in order to get full picture of the hack.

  • FalzoFalzo Member
    edited April 2018

    what a nightmare :(

    PS @harambe: can't tell you how grateful I am for you posting this here, helped me contain it quickly a lot!!

    I am about investigating from my end as much as possible as I had two infected boxes too. will write an update once I find more information (if any)

    if you see the gcc.sh note the timestamp and check for files with the same timestamp or changed from then.
    the binary also might be found in /lib/libudev.so instead of /usr/lib/libudev.so
    it seems like it takes a while for the hack to spread into the system. on a second VM I also found modified /etc/crontab and a file in /etc/init.d and /usr/bin , which were not there for the former VM. so make sure to check closely.

    still can't tell how they got in, but from the looks of it, it has to be the separate vesta-service (nginx/php-fpm) itself, maybe an API call?

    Thanked by 2mehargags Ympker
  • scorcher9scorcher9 Member
    edited April 2018

    I was also using it because it is was easy to manage.

    Just basic setup, no real site and I still lost millions.

    Anyway @Harambe thanks for posting this.

  • angstromangstrom Moderator

    It often seems that people choose cPanel if they want to pay, otherwise they choose Vesta, often saying that it's not so great (by the way, does Vesta support IPv6 yet?). Just curious: why not choose one of the other (good) free panels instead of Vesta, such as Froxlor or Webmin/Virtualmin or CentOS Web Panel?

    (I don't have a lot of experience with different panels.)

    Thanked by 3Saragoldfarb v3ng lazyt
  • angstrom said: Vesta

    I'd say it comes down to preferences. Vestacp offers easy installation/customisation/configuration and security issues can be found in any panel. Many people do use other panels especially virtualmin.

    Thanked by 1angstrom
  • HarambeHarambe Member, Host Rep
    edited April 2018

    @Falzo said:
    what a nightmare :(

    PS @harambe: can't tell you how grateful I am for you posting this here, helped me contain it quickly a lot!!

    No worries man. Figured more than a few folks here also use VestaCP, don't want anyone getting pwned if it can be prevented.

    Also: to anyone who was infected, please consider joining the vesta forum and helping the devs get to the bottom of this. They've had a couple releases in the past few months, which is a nice change after a year w/o a release, and seem keen on getting this fixed.

    So if you have any info to contribute or can give them access to a pwned install, please consider sharing it directly.

    Thanked by 2MasonR mehargags
  • HarambeHarambe Member, Host Rep

    @austenite said:
    How long until the 'I'm losing MILLIONS every hour because of Vesta' posts?

    Found 'em, on the VestaCP forum thread

  • angstrom said: why not choose one of the other (good) free panels

    What would be the criteria for choosing one?

    Anyone can do a simple search for vulnerabilities and land on something like this:

    Vesta:
    https://www.cvedetails.com/vulnerability-list/vendor_id-15494/product_id-31935/Vestacp-Vesta-Control-Panel.html
    
    Froxlor:
    https://www.cvedetails.com/vulnerability-list/vendor_id-16113/Froxlor.html
    
    Webmin:
    https://www.cvedetails.com/vulnerability-list/vendor_id-358/Webmin.html
    

    Webmin has the most. So how do you decide then?

    Thanked by 1angstrom
  • angstromangstrom Moderator

    @scorcher9 said:

    angstrom said: why not choose one of the other (good) free panels

    What would be the criteria for choosing one?

    Anyone can do a simple search for vulnerabilities and land on something like this:

    Vesta:
    https://www.cvedetails.com/vulnerability-list/vendor_id-15494/product_id-31935/Vestacp-Vesta-Control-Panel.html
    
    Froxlor:
    https://www.cvedetails.com/vulnerability-list/vendor_id-16113/Froxlor.html
    
    Webmin:
    https://www.cvedetails.com/vulnerability-list/vendor_id-358/Webmin.html
    

    Webmin has the most. So how do you decide then?

    Okay, fine, if those pages are taken as definitive, then Vesta has only ever had one security vulnerability until now, so I guess that on that basis, I would choose it as well.

    Thanked by 1scorcher9
  • angstromangstrom Moderator

    This from two years ago:

    https://stackoverflow.com/questions/36623596/is-this-file-gcc-sh-in-cron-hourly-malware

    I wonder whether it's related.

  • HarambeHarambe Member, Host Rep

    @angstrom said:

    I wonder whether it's related.

    Yep, they're using a variant of Xor DDoS - https://en.wikipedia.org/wiki/Xor_DDoS

    Thanked by 1angstrom
  • angstrom said: Okay, fine, if those pages are taken as definitive, then Vesta has only ever had one security vulnerability until now, so I guess that on that basis, I would choose it as well.

    Not sure about taking them as definitive but I was just asking how to know which panel is good and which is not?

  • HBAndreiHBAndrei Member, Top Host, Host Rep

    Only have one VestaCP box and its 8083 port is closed off in the firewall... but this is somewhat concerning, so I stopped the entire vesta service as recommended. Thanks for sharing.

  • angstromangstrom Moderator

    @scorcher9 said:

    angstrom said: Okay, fine, if those pages are taken as definitive, then Vesta has only ever had one security vulnerability until now, so I guess that on that basis, I would choose it as well.

    Not sure about taking them as definitive but I was just asking how to know which panel is good and which is not?

    Of course, I wasn't entirely serious about "definitive", but the number of (discovered) security vulnerabilities could be used as a criterion for choosing between the free panels (why not?). :-) This said, I find it hard to believe that Vesta has only had one security vulnerability until now ...

Sign In or Register to comment.