Analysis on VestaCP exploit
The first report of exploit was on April 07, 2018 2:56 pm on VestaCP’s official forum. The hackers seems to have gotten access to the server 2-3 weeks before and let their malware – which was a XorDDos variant, stay dormant till April 7. The hackers used the compromised systems to launch a Ddos attack to the ip below :
111.231.132.129 – ISP : Beijing Faster Internet Technology Co.,Ltd
It is crucial that you take down any servers that have VestaCP running immediately and do the following
– Check for the presence of malware
Go to your /etc/cron.hourly folder and check for a file called gcc.sh
– Run an antivirus scan (clamav can pick this malware up)
– Reinstall if necessary
From the looks of it, nobody knows how the actual attackers compromised the systems and what expoit they have used to gain entry. Although the VestaCP team has patched a few security loopholes, it can’t be confirmed that those were the same entrypoint used by the hackers. Hence, it still poses a huge risk to continue using VestaCP. It is recommended that if you need to manage your web server again, you should
1. Lockdown your server to specific ip address
2. Look to other control panels, if possible, commercial ones like CPanel as they have dedicated security review and response team.
Also, follow these threads to get updates on the current status of VestaCP
https://forum.vestacp.com/viewtopic.php?t=16556
https://www.digitalocean.com/community/questions/how-do-i-determine-the-impact-of-vestacp-vulnerability-from-april-8th-2018
Be First to Comment