Open source web hosting software compromised with DDoS malware

Some VestaCP servers were infected with a new malware strain named Linux/ChachaDDOS.

The provider of an open-source hosting panel software admitted yesterday to a security breach during which an unknown hacker contaminated the project's source code with malware that logs passwords, open shells, and can launch DDoS attacks.

"Our infrastructure server was hacked," said a member of the Vesta Control Panel (VestaCP) team yesterday in a forum post. "The hackers then changed all installation scripts to log admin password and [server IP]."

A user who analyzed the VestaCP source code on its official GitHub repository said the malicious code was added on May 31, this year, and later removed two weeks later, on June 13.

The code permitted attackers to collect admin passwords for servers where the Vesta control panel was installed. To avoid making the traffic from compromised servers look suspicious, the attackers sent passwords back to an official VestaCP domain that they presumably still had control over.

Attackers then used these passwords to access compromised servers and install a new malware strain named Linux/ChachaDDoS --broken down in this ESET report released today.

ESET says the malware appears to be a mixture of code taken from different malware strains, with the most parts being from XOR, a Linux DDoS malware strain that was first spotted in late 2015 [1, 2].

ESET researcher Marc-Etienne M. Léveillé says the malware contained various functions, but attackers appear to have used only the DDoS feature. Léveillé says he observed some campaigns that instructed compromised VestaCP servers to launch attacks against two Chinese IPs.

In fact, it was this DDoS function that exposed the compromised servers in the first place, after cloud providers started sending notifications to customers that their rented servers were using a large amount of bandwidth.

Users who received these warnings have been complaining on the VestaCP forum and social media since mid-September.

After weeks of silence, the VestaCP team finally answered yesterday, revealing it had been working with a Russian cyber-security firm named Acturus Security to analyze user complaints for the past month.

The staff released VestaCP 0.9.8-23 today, a security release for the Vesta Control Panel software to address various security issues Acturus reported during its investigation.

Since the VestaCP team also had access to the server IP and password data that attackers sent back to its server, the company also created a website that lets server owners enter their server's IP address and see if they've installed a VestaCP version that contained the password-stealing code.

"If [your IP address is] there you should change admin passwords as soon as possible," the VestaCP team said. "Also please make sure there is no /usr/bin/dhcprenew binary installed on your server. This binary is some sort of trojan that is able to launch remote DDoS attack or open shell to your server."

But despite its efforts, VestaCP also appears to have suffered some irreparable reputational damage, as some users simply didn't believe the company's explanation that a hacker broke into its infrastructure. Many users blamed the issue on Vesta itself, and some migrated their servers from VestaCP to a project fork managed by a Belgian company.

VestaCP is a web hosting panel technology similar to the more famous cPanel that lets hosting companies or web developers to roll out web servers at a rapid pace, depending on the custom IT infrastructure they need to run.

Previous and related coverage: