VestaCP Exploit Used to Stage DDoS Attack From Compromised Server

Linode Staff

There is a denial of service attack originating from a Linode, and it is believed to be due to a vulnerability in VestaCP. What can be done about it?

2 Replies

Linode Staff

Multiple Linodes Running VestaCP Compromised

Today we have seen a large number of Linodes being compromised and initiating DDoS attacks at a single IP address. After multiple owners of the affected Linodes confirmed use of Vesta Control Panel, we have reason to believe that this is tied to the previous VestaCP exploit that occurred earlier this year.

Statement From VestaCP Team

This past April, the Vesta team released information on a vulnerability in Vesta Control Panel that allowed root access to the servers. The servers were infected with a bash program, gcc.sh, which stored itself in users' /etc/cron.hourly folder, laying dormant for a few days before initiating DDoS attacks on remote hosts using /usr/lib/libudev.so.

Source: VestaCP Forum

Recommendations From Vesta

  • Limit access to port 8083 or disable it.
  • Until the infection is removed, affected users are advised to stop VestaCP service immediately using the following commands:
$ sudo systemctl vesta stop
$ sudo systemctl disable vesta

Note: This will stop VestaCP and it will not start again when the server is rebooted.

Patch for the April VestaCP Exploit

The Vesta team released a patch for this, which included a full rewrite of the password auth function, fixing "a potentially insecure password check method", which was confirmed to be the vector of attack.

Linode users that are running VestaCP and have not updated their client with the patch are recommended to do so.

How To Patch VestaCP

The following link includes instructions from the VestaCP team for patching VestaCP.

VestaCP Forum

I have copied the instructions below for your convenience.

Option 1: Via web interface

  • Login as admin
  • Go to updates tab
  • Click “update” button under vesta package

Option 2: Via package manager

  • SSH as root to your server
  • yum update / apt-get update && apt-get upgrade

Option 3: Via GitHub

  • SSH as root
  • Install git:
$ sudo yum install git

or

$ sudo apt-get install git
  • Then run following commands:
cd $(mktemp -d)
git clone git://github.com/serghey-rodin/vesta.git
/bin/cp -rf vesta/* /usr/local/vesta/

Things to Know

  • This issue is not distribution-specific, as it has been seen on Debian and CentOS machines.
  • System logs and Vesta may not contain any useful identifying information.
  • We are uncertain if this attack is the same or a new one entirely.

Scanning for Malicious Files

The vulnerability includes malicious code that is installed on the server. These files will need to be removed.

For other recent PHP vulnerabilities, a teammate of mine wrote this answer on using rkhunter and ClamAV:

Guide on Scanning Server for Malicious Files

If they're outbound DoSing you should probably netfilter them. ¯_(ツ)_/¯

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct