On 07 April 2018, many servers using VestaCP got hacked. Hacker was able to get root acceess on these servers.
Hacker installed some trojan software known as Chinese Chicken that is used to DDoS other servers.
To see if your server is hacked, check if file /etc/cron.hourly/gcc.sh is present in your server.
ls -l /etc/cron.hourly/gcc.sh
You can read more about this DDoS Trojan at
https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/
If you are running VestaCP, stop it until a solution for this exploit is released.
service vesta stop systemctl stop vesta
You can find discussion on this exploit on VestaCP form
https://forum.vestacp.com/viewtopic.php?f=10&t=16556
Once server is rooted, it is better to take backup of all your data and restore OS.
Leave a Reply