Critical Update for Vesta and New Vulnerabilities

In early October, reports emerged on the official Vesta support forum regarding a new wave of server hacks targeting systems with the installed and updated Vesta panel. It has been just over a week, and official statements from the development team have appeared, describing the situation along with an urgent release of a new version that includes important security updates.

Understanding the Situation

Unfortunately, the information on the official website lacks detail, but certain conclusions can be drawn.

One key source of the attack was a modified installation script for the panel. The developers acknowledged that one of their infrastructure servers was compromised, allowing attackers to alter the code of a distribution component. Following modern practices, the Vesta team collects installation data for statistical purposes, but the modified script sent the administrator password in plain text. Based on this, we highly recommend immediately changing the passwords for the admin and root users if you are using Vesta.

Identifying Compromised Systems

Modules placed by attackers have been identified. Check for the following signs:

• The file /usr/bin/dhcprenew — a multifunctional trojan module that can use the infected system to organize attacks or facilitate unauthorized access with administrative privileges.
• A running trojan module mimicking a system process. In the process list, look for the process kworker/1:1, which may appear as follows:

root      3308  0.0  0.0   272  52 ?        Ss   Sep24   0:00 [kworker/1:1]
root      3362  0.0  0.1  5596 1296 ?        Ss   Sep24   0:09 [kworker/1:1]
root      3363  0.0  0.0  5248  940 ?        S    Sep24   0:12 \_ [kworker/1:1]

If any of these signs are present, you should immediately remove the trojan modules, update the system and panel, change the passwords, and check the file system for other signs of infection.

Release Notes for 0.9.8-23

It is essential to install the latest version. Here are the key changes:

• Security fix for timing attack on password reset. Thanks to Arcturus Security.
• Security fix for v-open-fs-config; its visibility is limited to /etc and /var/lib directories.
• Security check for /usr/bin/dhcprenew binary; if found, the checker notifies the server administrator.
• Security improvement for sudo, limited to Vesta scripts only, preventing execution of other commands.
• Individual generation of admin and database passwords.
• New installer no longer uses c.vestacp.com as a source for configuration files; configs are now bundled inside the Vesta package.
• Installer no longer sends any information to vestacp.com after successful installation.