Here is what we know so far:
1. The first wave happened on April 4. Servers were infected with /etc/cron.hourly/gcc.sh
2. It was an automated hack
3. CentOS, Debian, Ubuntu all distros are affected it's platform independent
4. We didn't find any traces in vesta and system logs yet
5. On April 7 infected servers started to DDoS remote hosts using /usr/lib/libudev.so.
What you can do:
The best way to stay safe is to temporary disable vesta web service
service vesta stop
Any customer using VestaCP is requested to stop it until vendor provided security updates.
Any exploited VPS will be suspended unitl customer is available to resolve issue.
Sunday, April 8, 2018