VestaCP zeroday exploit

William

VestaCP creators are currently working on patch that would remove this vulnerability. However for this moment, this is what has been provided by Vesta about the issue:

1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. The attack was platform independent.
4. VestaCP team didn’t find any traces in Vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.

As a solution, VestaCP has proposed to turn off vestacp service. This can be done from the SSH with following commands:

service vesta stop

systemctl stop vesta

For security measures change the default port from 8083 to another.

tothino

VestaCP team released  a patch (0.9.8 Release 20, they found a vulnerability on password management; changelog: hardening password checks, auth fix);
however i changed default port, i need to control SSH access on port 22 by IP, and my IP is not static, it may change every few day.

An OT question: is your web console on port 22?

William

For the IP restriction, in general, this is good practice, but in your case when you have dynamic IP - recommendation would be remove the IP restriction and only change the SSH port.

In this case what is related to VestaCP vulnerability, you should also change the default 8083 port of the Vesta log-in page to another. For the patch that was released, and possible ways of loading it on your server, few possible ways of doing so is provided on VestaCP forum:

https://forum.vestacp.com/viewtopic.php?f=10&t=16556&start=260#p68893

Our web console is generated not via specific ports, but from the inside of the node. So restrictions on your server ports does not affect the connection through it. However take notice that web console should be used only in emergencies.

tothino

Thanks for your answer William.
VestaCP on my VPS, autoupdated yesterday at 1:00 am, and I changed default 8083 port for VestaCP,  following some guide on vestacp forum (same thread); btw i'm a little scared to change SSH port, in case somthing goes wrong and i lost access. I put restrition on IP because of many tries from chinese IPs on ssh; and i set my IP through VestaCP; however good to know that web console may be used in emergency.

synapticmx

tothino said:

Thanks for your answer William.
VestaCP on my VPS, autoupdated yesterday at 1:00 am, and I changed default 8083 port for VestaCP,  following some guide on vestacp forum (same thread); btw i'm a little scared to change SSH port, in case somthing goes wrong and i lost access. I put restrition on IP because of many tries from chinese IPs on ssh; and i set my IP through VestaCP; however good to know that web console may be used in emergency.

Hello tothino,

Maybe you can use CSF https://configserver.com/cp/csf.html, its a firewall that have two important things for you, 
1. Restriction by IP using services like No-IP or another Dynamic DNS Service, so you put you Dynamic DNS in allowed IP's.
2. You can add blacklists to block IP Address that are recognized like SPAM, Attacks, Brute-Force, etc..

Also, you can use Keys instead of password to allow SSH access, this will add more security to your setup and you dont need to change port. Only remember, keep you SO updated,

vinahost

thanks for sharing. Maybe i should backup data and transfer to another hosting controller (cPanel).

Giedrius

Update.

It seems that very recently the VestaCP panel was compromised once again. Time4VPS would like to recommend every VestaCP user to update their panel as soon as possible to avoid any further issues. You can do that by executing the following command via SSH:

v-update-sys-vesta-all