Posted on October 19, 2018 at 2:59 PM
New DDoS Malware Infects Open-Source Web Hosting Software
New report delivered by a member of VestaCP (Vesta Control Panel) team claims that an unknown hacker managed to breach their server security. The attack resulted in the project’s source code being infected with malware that can log data such as passwords, open shells, or even launch a DDoS attack.
VestaCP infected by a malicious code
VestaCP, which is a well-known provider of open-source hosting panel software, stated that the code was likely added on May 31, 2018. However, the code was also removed only two weeks later, on June 13. This conclusion came after analysis of VestaCP source code on its GitHub repository.
Supposedly, the malicious code allowed hackers to steal admin passwords for multiple servers that hosted Vesta control panel. Hackers also sent stolen passwords back to VestaCP’s official domain in order to cover their tracks and make traffic from compromised servers look less suspicious.
After that, attackers accessed infected servers by using these stolen passwords and installed a new malware strain. The new strain was named Linux/ChachaDDoS, and is explained in a new report published yesterday by ESET.
ESET claims that this malware seems to be a combination of code taken from several other malware strains. Most parts of the code seem to originate from a Linux DDoS malware strain called XOR. XOR was originally noticed back in 2015.
Marc-Etienne M. Léveillé, one of ESET’s researchers, claims that the malware has several functions. However, it would seem that hackers were only interested in using one — DDoS. Since the incident, Léveillé observed several campaigns that used VestaCP servers for attacking two IPs based in China.
The incident was uncovered due to bandwidth overuse
Thanks to the fact that hackers were only interested in using the malware’s DDoS function, compromised servers were much easier to detect and expose. The biggest contributors seem to be cloud providers, which notified customers that their servers are using suspiciously large amounts of bandwidth.
One such user decided to complain on a forum managed by VestaCP, as well as social media, around mid-September. At first, VestaCP was silent, and it took them several weeks to respond. However, the company finally answered two days ago, with claims that it has been collaborating with Acturus Security, a Russian cybersecurity company, in order to analyze these complaints.
Yesterday, VestaCP’s team released VestaCP 0.9.8-23, a security release for the Control Panel software. The new version addresses several security issues that Acturus uncovered during their analysis.
Additionally, the company decided to also create another website that will allow server owners to enter the IP address of their server and check if they still have a compromised version of VestaCP. In short, if someone enters their IP address and find that it is listed on this website, they should immediately change their admin passwords.
Finally, the team also advised users to ensure that there is no /usr/bin/dhcprenew binary installed on their servers since it is suspected that this binary might be a type of trojan that can launch DDoS attacks remotely.
While these efforts are praiseworthy, VestaCP seems to have suffered a type of damage that cannot be easily repaired. Due to the incident, their reputation is at stake, especially since there are multiple users who do not believe the story about a hacker breaking past their defenses. While some only blamed the company for the incident, many decided to migrate from VestaCP to one of the project’s forks, which is led by a Belgian firm.