Skip to content

Analysis on VestaCP exploit

Analysis on VestaCP exploit

The first report of exploit was on April 07, 2018 2:56 pm on VestaCP’s official forum. The hackers seems to have gotten access to the server 2-3 weeks before and let their malware – which was a XorDDos variant, stay dormant till April 7. The hackers used the compromised systems to launch a Ddos attack to the ip below :

111.231.132.129 – ISP : Beijing Faster Internet Technology Co.,Ltd

It is crucial that you take down any servers that have VestaCP running immediately and do the following

– Check for the presence of malware

 Go to your /etc/cron.hourly folder and check for a file called gcc.sh

– Run an antivirus scan (clamav can pick this malware up)
– Reinstall if necessary

From the looks of it, nobody knows how the actual attackers compromised the systems and what expoit they have used to gain entry. Although the VestaCP team has patched a few security loopholes, it can’t be confirmed that those were the same entrypoint used by the hackers. Hence, it still poses a huge risk to continue using VestaCP.  It is recommended that if you need to manage your web server again, you should
1. Lockdown your server to specific ip address
2. Look to other control panels, if possible, commercial ones like CPanel as they have dedicated security review and response team.

Also, follow these threads to get updates on the current status of VestaCP

https://forum.vestacp.com/viewtopic.php?t=16556
https://www.digitalocean.com/community/questions/how-do-i-determine-the-impact-of-vestacp-vulnerability-from-april-8th-2018

Enjoyed the content ? Share it with your friends !
Published inWeb Server

Be First to Comment

Leave a Reply

Your email address will not be published.