Sunday, 8 April 2018

VestaCP hit by 0-day exploit


Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cro ||
It seems that VestaCP has been hit by a 0-day exploit. Many users reported on VestaCP forums that their hosting accounts were suspended and their servers were compromised.
Exploit makes the hacked server to attack a chinese IP. It looks like a DDoS trojan where a .sh file(gcc.sh) is loaded in cron.hourly triggering DDoS attacks to other servers.
Deleting the cron or the file loaded through the cron won’t help much dealing with issue since the vulnerability is found inside VestaCP. VestaCP recommends to shut down its service with the following commands:
service vesta stop(Debian/Ubuntu)
systemctl stop vesta(Red Hat/Centos)
Once you stop the service we recommend to limit inbound and outbound access to port 8083.
This DDoS attack has been lurking around for many years but it has never been noticed exploiting a hosting panel before. Even if VestaCP releases a patch there is a serious possibility that you will need to re-install your server OS from scratch so make sure your backups are accessible and current.
This is what VestaCP reported about the exploit:
Source: https://managewp.org/articles/17314/vestacp-hit-by-0-day-exploit



source https://williechiu40.wordpress.com/2018/04/09/vestacp-hit-by-0-day-exploit/

No comments:

Post a Comment