VestaCP Exploit Used to Stage DDoS Attack From Compromised Server
There is a denial of service attack originating from a Linode, and it is believed to be due to a vulnerability in VestaCP. What can be done about it?
Multiple Linodes Running VestaCP Compromised
Today we have seen a large number of Linodes being compromised and initiating DDoS attacks at a single IP address. After multiple owners of the affected Linodes confirmed use of Vesta Control Panel, we have reason to believe that this is tied to the previous VestaCP exploit that occurred earlier this year.
Statement From VestaCP Team
This past April, the Vesta team released information on a vulnerability in Vesta Control Panel that allowed root access to the servers. The servers were infected with a bash program,
gcc.sh, which stored itself in users'
/etc/cron.hourly folder, laying dormant for a few days before initiating DDoS attacks on remote hosts using
Recommendations From Vesta
- Limit access to port 8083 or disable it.
- Until the infection is removed, affected users are advised to stop VestaCP service immediately using the following commands:
$ sudo systemctl vesta stop $ sudo systemctl disable vesta
Note: This will stop VestaCP and it will not start again when the server is rebooted.
Patch for the April VestaCP Exploit
The Vesta team released a patch for this, which included a full rewrite of the password auth function, fixing "a potentially insecure password check method", which was confirmed to be the vector of attack.
Linode users that are running VestaCP and have not updated their client with the patch are recommended to do so.
How To Patch VestaCP
The following link includes instructions from the VestaCP team for patching VestaCP.
I have copied the instructions below for your convenience.
Option 1: Via web interface
- Login as
- Go to updates tab
- Click “update” button under vesta package
Option 2: Via package manager
- SSH as root to your server
- yum update / apt-get update && apt-get upgrade
Option 3: Via GitHub
- SSH as root
$ sudo yum install git
$ sudo apt-get install git
- Then run following commands:
cd $(mktemp -d) git clone git://github.com/serghey-rodin/vesta.git /bin/cp -rf vesta/* /usr/local/vesta/
Things to Know
- This issue is not distribution-specific, as it has been seen on Debian and CentOS machines.
- System logs and Vesta may not contain any useful identifying information.
- We are uncertain if this attack is the same or a new one entirely.
Scanning for Malicious Files
The vulnerability includes malicious code that is installed on the server. These files will need to be removed.
For other recent PHP vulnerabilities, a teammate of mine wrote this answer on using rkhunter and ClamAV:
If they're outbound DoSing you should probably netfilter them. ¯_(ツ)_/¯