It has come to our attention that a popular free control panel VESTA CP, used by a number of our customers, is suffering from an 0-day exploit. Current reports suggest a vulnerability in VESTA's API, which allows code to be executed as ROOT. According to reports, this was discovered few days ago. From our observations so far, once the server is infected, it is then used to send out DDoS attacks. More information can be found on their website here
If your server has been infected, there is a good chance it is already suspended by our automated system. If that is the case please open a ticket on our helpdesk here to make arrangements on how to obtain your files. If your are running VESTA CP and your server has not been suspended, we strongly recommend making backups of your server and immediately reinstalling your server. Chances are it will get infected in the next 24 hours.
To see if your server has been infected, login to your server as root and check for a file called "gcc.sh" in /etc/cron.hourly folder:
cd /etc/cron.hourly ls -al
If the file is present, your server is infected. We recommend an immediate backup of your files and databases and wiping your server clean. We recommend not installing VESTA CP again, until their developers rectify the issue.