The Official Community Support Forum 

  • Vesta Panel vulnerability (from April 8th, 2018)

  • General Questions and chit chat NOT related to support. Please Use the “Buyers” section for any support related needs.
General Questions and chit chat NOT related to support. Please Use the “Buyers” section for any support related needs.
Forum rules: ONLY CHIT CHAT :-) Specific theme, MODs/Extensions support only in the “Buyers section”. Thank-you!
 #26585  by ThemeSplat
 April 9th, 2018, 2:07 pm
Vulnerability discovered within the VestaCP software. The exploit is being used to gain root access to server running Vesta Panel. Exploited servers are then being used to perform a DoS attack to remote servers by sending large amounts of traffic.

DigitalOcean promptly blocked access to the default Vesta panel port:
https://www.digitalocean.com/community/ ... l-8th-2018

More info about the vulnerability:
https://forum.vestacp.com/viewtopic.php?p=68594#p68594


skid » Sun Apr 08, 2018 7:05 am wrote:

Here is what we know so far:

  1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
  2. It was an automated hack
  3. CentOS, Debian, Ubuntu all distros are affected it’s platform independent
  4. We didn’t find any traces in vesta and system logs yet
  5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.

What you can do:
The best way to stay safe is to temporary disable vesta web service

Code: Select all
service vesta stop
Code: Select all
systemctl disable vesta

or limit access to port 8083 using firewall

What we are doing:
Few users provided us with root access to their servers. We are investigating what happened. We also launched a couple honeypots in order to get full picture of the hack.


All clients having issues with this should get in contact via email/PM to work out the fixes needed.

PRENEXT_POST_NAVIGATION