VestaCP zeroday exploit

William
William
edited April 9 in General Discussions
Tagged:
VestaCP creators are currently working on patch that would remove this vulnerability. However for this moment, this is what has been provided by Vesta about the issue:

1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. The attack was platform independent.
4. VestaCP team didn’t find any traces in Vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.

As a solution, VestaCP has proposed to turn off vestacp service. This can be done from the SSH with following commands:

service vesta stop

systemctl stop vesta

For security measures change the default port from 8083 to another.


Tagged:

Comments

  • tothino
    tothino
    Member edited April 9
    VestaCP team released  a patch (0.9.8 Release 20, they found a vulnerability on password management; changelog: hardening password checks, auth fix);
    however i changed default port, i need to control SSH access on port 22 by IP, and my IP is not static, it may change every few day.

    An OT question: is your web console on port 22?

  • William
    William
    Moderator edited April 10
    For the IP restriction, in general, this is good practice, but in your case when you have dynamic IP - recommendation would be remove the IP restriction and only change the SSH port.

    In this case what is related to VestaCP vulnerability, you should also change the default 8083 port of the Vesta log-in page to another. For the patch that was released, and possible ways of loading it on your server, few possible ways of doing so is provided on VestaCP forum:

    https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=260#p68893

    Our web console is generated not via specific ports, but from the inside of the node. So restrictions on your server ports does not affect the connection through it. However take notice that web console should be used only in emergencies.



  • tothino
    tothino
    Member
    Thanks for your answer William.
    VestaCP on my VPS, autoupdated yesterday at 1:00 am, and I changed default 8083 port for VestaCP,  following some guide on vestacp forum (same thread); btw i'm a little scared to change SSH port, in case somthing goes wrong and i lost access. I put restrition on IP because of many tries from chinese IPs on ssh; and i set my IP through VestaCP; however good to know that web console may be used in emergency.

Sign In or Register to comment.
© 2013 - 2017 Time4VPS. All rights reserved. Powered by Vanilla
The opinions or views of users on the forum are those of the author and not of Time4VPS.