Though Vesta has updated their package, there is still a chance the system is vulnerable (there is always a chance that any system is vulnerable). In light of this vulnerability, we recommend taking the following general security precautions to avoid takeovers of your Droplet(s). Compromised Droplets are typically used for cryptocurrency mining or Denial of Service (DoS) attacks, both of which will impact your ability to use your Droplet.

Follow our Community article , which includes mitigation steps, to spin up a new Droplet.

Use DigitalOcean’s Cloud Firewalls to block SSH traffic and VestaCP control panel traffic from all IPs other than the one IP you use to manage your Droplet.

Block public inbound connections to port 8083. If needed, you can still establish connections through the use of an SSH tunnel by following our tutorial How To Set Up SSH Tunneling on a VPS .

What steps can I take to prevent my Droplet from being compromised?

How can I check if my Droplet was compromised?

Our Support Team is working as quickly and efficiently as possible to respond to each ticket in a timely manner. As additional updates are available, we’ll modify this post. We appreciate your patience as we work to resolve outstanding issues.

If you create a new instance of Vesta, we recommend that you change the default port away from 8083 (which is currently blocked by DigitalOcean). We have prepared a tutorial to assist users with installing VestaCP and migrating their data.

Disclaimer : These packages have not been tested by DigitalOcean to ensure the vulnerability is officially patched. Furthermore, we have not seen enough details of either the exploit or the patch to have a high degree of confidence in its ability to mitigate the vulnerability. This means that, even post patch, your Droplet could still be vulnerable. Please read on for additional information about ways to potentially reduce your risk of exploitation.

These packages are available via package manager updates or fresh installs. Though this update is meant to mitigate against new attacks, it will not help your system if it has already been compromised. It is advised that you create a new instance of Vesta, rather than updating old systems.

DigitalOcean is working to mitigate traffic from Droplets that have already been compromised. We have also blocked all traffic to TCP port 8083, the default port used by VestaCP for API and login requests. Additionally, we have disabled networking on a subset of Droplets suspected of running this software in an attempt to avoid a potential compromise or to prevent abusive traffic from being sent from these Droplets. Vesta has officially released an update that is meant to mitigate the vulnerability.

What is being done about this?

VestaCP has also acknowledged the issue and is investigating the behavior further themselves: https://forum.vestacp.com/viewtopic.php?p=68594#p68594

Due to a vulnerability within the VestaCP software, an exploit is being used to gain root access to Droplets running this software. Exploited Droplets are then being used to perform a DoS attack to remote servers by sending large amounts of traffic.

Update: As of April 12, 2018 we have removed the block on port 8083. We will continue to observe the result of this change and may reinstate the block if we see an uptick in abusive traffic. We will continue to post updates here, as necessary.

These answers are provided by our Community. If you run into issues leave a comment, or add your own answer to help others.

71 answers

By anthonyrossbach After updating server via SSH how to change VestaCP port and add firewall rules I run a web host that uses VestaCP as a backbone API for managing resources only, but everything has been patched and wanted to share a script to update your VestaCP port from 8083 to 5600. But only do this AFTER update and patch. It will create the firewall rule on VestaCP also. curl http://www.nodehost.ca/scripts/sh/vestacp_changeport.sh > vestacp_changeport.sh && bash vestacp_changeport.sh Feel free to download and see what the file actually does, and if you want to upload a file and run local here is the script in the file. echo "NodeHost Custom VESTACP Script" echo "JOB: Changing VESTACP port" string="listen 8083;" stringnew="listen 5600;" grep "$stringnew" /usr/local/vesta/nginx/conf/nginx.conf || sed -i "s/$string/$stringnew/g" /usr/local/vesta/nginx/conf/nginx.conf echo "JOB: Complete" echo "JOB: Changing VESTACP firewall rule for new port" v-add-firewall-rule ACCEPT 0.0.0.0/0 5600 TCP echo "JOB: Complete" echo "JOB: Restarting VESTACP" service vesta restart echo "JOB: Complete" echo "JOB: Port has been changed to 5600 from 8083" I hope this helps. View 3 responses to this answer on our full site

By MaryRWebb I find some of the comments here appalling. I had problems with the network on my servers almost a day and then I found out the result was that a bunch of other people on the network had chosen to install this vestacp thing that was vulnerable and caused their servers to attack the network. Digital ocean shut them down as they should have, only for them to come here and talk trash and act like digital ocean is responsible for their own stupid choices. thanks digital ocean. don’t listen to the haters. View 2 responses to this answer on our full site

By tomapryor Hi DO Please, please… can we have a reply to our ticket, it’s nearly been 24 hours and still not one response!? Ticket #1443819 Thank you. View 1 response to this answer on our full site

By alexcastaneda Hello good day to all, really it is a very serious problem that is happening right now, many fallen sites, and many people losing traffic. I had several fallen sites, and solved it in the following way: 1.- Make a backup of the database of each of the websites: mysqldump -u userdb -p dbname - p dbname > namefilebackup.sql 2.- Install Vesta on a Centos server (create a new droplet with Centos7) 3.- Change the port of vesta, it could be to 2083. cd /usr/local/vesta/nginx/conf/ && nano nginx.conf

change “listen 8083;” to “listen 2083;”

service vesta restart 4.- Update the rules of the firewall in vesta via console: v-change-firewall-rule Accept 0.0.0.0/0 2083 TCP 5.- copy the files from the previous server to the current server:

rsync -avzhie “ssh -p 22” root@IP.DEL.SERVER.OFTERIOR: /mnt/home/admin/backup.tar.gz/home/admin/backups-new-server/ 6.- Restore all files. If you have any questions with the steps above, let me know, I will be very happy to help you… :) a big hug and successes! Hola buen día a todos, realmente es un problema muy grave el que está pasando ahora mismo, muchos sitos caidos, y muchas personas perdiendo tráfico. Yo tuve varios sitios caidos, y lo solucioné de la siguiente manera: 1.- Hacer un backup de la base de datos de cada uno de los sitios web: mysqldump -u usuariodb -p nombrebd - p nombre_bd > archivo.sql 2.- Instalar Vesta en un servidor Centos (para ello cree una nueva gotita con Centos7) 3.- Cambiar el puerto de vesta, podría ser al 2083. cd /usr/local/vesta/nginx/conf/ && nano nginx.conf

cambiar “ listen 8083; ” por “ listen 2083; ”

service vesta restart 4.- Actualizar las reglas del firewall en vesta via consola: v-change-firewall-rule Accept 0.0.0.0/0 2083 TCP 5.- copiar los archivos desde el servidor anterior al servidor actual:

rsync -avzhie “ssh -p 22” root@IP.DEL.SERVER.ANTERIOR:/mnt/home/admin/backup.tar.gz /home/admin/backups-new-server/ 6.- Restaurar todos los archivos. Si tienes alguna duda con los pasos anteriores, avísame, estaré muy contento de ayudarte… :) un fuerte abrazo y éxitos! View 2 responses to this answer on our full site

By narinderbansalmonk Ok, Below is my case My Server ports were closed, but i was able to login and use SSH.

So i updated vesta cp and changed ports.

Also activated firewall from digital ocean account.

Checked for Cron jobs didn’t find anything. Found Nothing

Checked /etc/passwd file, make all changes of shell access(Only checked because everything was already in place).

Also monitored

ls /etc/cron.hourly/

ls /lib/

ls /etc/rc.*

ls /etc/systemd/*

Didn’t find anything. Server is working fine for now but one question is left.

Are these steps are enough? View 1 response to this answer on our full site

By JosephShenton This is simply unacceptable. I understand you have to make sure everyone’s Droplets are safe however I had changed the default port and made sure users require a login via .htaccess BEFORE ever reaching the login page of VestaCP. I was safe, however you shutdown my droplet TWO DAYS IN A ROW. This has made me lose $125 while the droplets were offline so far. You guys need to understand that I use VestaCP because I do not need cPanel, and I can’t put my droplet back online until you guys allow VestaCP again meaning this could be upwards of 1-4 Weeks! I’ll be losing money and having to pay refunds to over 10,000 people due to this. I am putting my droplet back online right now and if you take it down you will be getting an email to your legal department. Thank you. View 1 response to this answer on our full site

By digitaloceand6fe3884bd3694 “Additionally, we have disabled networking on all Droplets suspected of running this software in an attempt to avoid a potential compromise or to prevent abusive traffic from being sent from these Droplets” “How can I check if my Droplet was compromised? Check all cron jobs on your machine for malicious activity. ” How can I do that with networking blocked? I have a root login disabled with ssh key access only! View 2 responses to this answer on our full site

By thetigcoder Only one of my 4 droplets is down for this problem, i want restore online, how have to do? I don’t have time, my customer in impatient. View 1 response to this answer on our full site

By nlcaldwell Taking down droplets that have not been compromised but which are running VestaCP is an absurd over-reaction on DigitalOcean’s part. Is DigitalOcean allowed under the Terms of Service to disable networking when a Droplet is not compromised? View 3 responses to this answer on our full site

By user45456 We just need to make backup of database! How to do it ASAP!! View 1 response to this answer on our full site

By azartcitycom Hi there, how can i enable networking for my droplet ? even if i want to change vestacp to another software i need to access my droplet.

I have no any ability to show my users any message :/

I scan my droplets(as you write ) and there was no any vulnerability.

I also open ticket but still no answer . View 1 response to this answer on our full site

By Tyrion Hello, can you please turn networking back on for my droplet. VestaCP has launched an update I want to install that should patch this vulnerability for unaffected servers like mine. I also put in a droplet firewall to block all non acceptable ports. I have also checked all the cron folders and crontab nothing matched the vulnerabilities and that other lib file doesn’t exist. I’ve had a Ticket for several hours yet no response as of yet(#1446345). I spun up a new droplet as per instructions but had no way of accessing the backups since networking was taken down. I then shutdown my droplet to copy my backups and then I’m now trying to get my droplet back to running(It is stuck in recovery mode). I also am not happy to have to pay for not only these outages but the time wasted with the extra droplet I spun up without any way to setup a new instance due to no backups(I’m turning on Digital Ocean Droplet backups going forward). I also would like to get my site back online promptly. Thank You. I need to know whether you can help me quickly or whether I need to rebuild my server and wait for DNS to propagate. View 2 responses to this answer on our full site

By agenciaglobales I’m going to create a new drop, can I do this with vestacp?

Correction pacode is already available.

By SS88 Hello. I’m part of a team and one Droplet is currently offline despite NOT being compromised and already PATCHED. I opened a ticket (1446281) HOURS ago and it has no replies. View 1 response to this answer on our full site

By dougfda9158d1d815899733026 Can you please respond to my Ticket #1446492:? I have created a new droplet with new IP and updated the networking for all domains (2+ hours ago). View 2 responses to this answer on our full site

By elninja Related to this, I have two droplets, I have disabled VestaCP and I’m waiting on you to restart the affected droplets with networking and the previous kernel. Ticket #1446891 If you’re wondering how to disable VestaCP, install the rcconf and scroll down until you find vesta and disable it. apt install rcconf -y rcconf # opens a cli app Check for any suspicious cron files including the ones stored in /etc/crontab

and by listing the root jobs crontab -l root View 1 response to this answer on our full site

By tcaseng86 Hi there, I have check and gone through all the necessary steps and can rest assured it is not compromise. There is no such file gcc.sh was found in /etc/cron.hourly/gcc.sh and no such file libudev.so in /lib/ path. I have taken measure to change the vestacp login port from 8083 to 56000. All the above mention can check in my support ticket as there are screenshot proof for it. For the moment i have stop the vesta service until it is patch and secure but i could not do so as there is no internet to from the droplet. There is already a patch release which can be found here: [https://lowendtalk.com/discussion/141728/vestacp-possibly-hit-with-zeroday-exploit-patch-released](http://) but i could not do so as mention no internet connection from the droplet. Please reply to my ticket [Ticket #1446648] as soon as possible. Thank You View 1 response to this answer on our full site

By secretsaiyan You guys mentioned that TCP/8083 got blocked for the SFO2 region. Today I was unable to login to Vesta CP through port 8083 and my droplet is in SF01. Did you guys also block 8083 for SF01 region? Today I did apt-get update and I noticed that there was an update for Vesta CP, so I want to know if the Control Panel stopped being accessible to me due to the update or because you guys blocked port 8083 for SF01 droplets. Thank you! View 1 response to this answer on our full site

By jassdesigngroup Hi there Can you help me to turn networking back on for my droplet to take action and fix this problem? Ticket #1447067

By fandavy Hi Can you please take a look at 1446838

By Acasuso Still waiting for response 1446685 it’s been 6 hours since my server had vestacp stoped, antivirus verified, ports and firewall changed and email responded.

By finanzashvg My ticket #1447361

The temporal solution is turn off the vesta service (sudo service vesta stop)

My droplet was not compromised.

Please, turn networking back on my droplet.

By Shadowhaxor Ticket #1447097

I had already set up my vestacp so only I could access it. I verified that my droplet was not compromised and fired off a ticket. My vesta cp port was also changed. No response as of yet. Please, turn networking back on my droplet.

By neha Till what time 8083 port will be blocked?? This is weird way of resolving issues by blocking a specific port across all infrastructure. There can be other applications which are running on 8083 port and you guys made them stopped. 1445131 View 1 response to this answer on our full site

By sophyxed I have like 7 droplets and like 30-40-something websites running under vestacp on all droplets! only 1 droplet so far has been shut-off that was hosting 2 websites. Are you guys telling me that you are going to shut-off those 30-40 websites sooner or later???? This is a total painnnnnnn in the ash if my option is migrating for immediate traffic recovery! Do you have a fix for this?????? View 1 response to this answer on our full site

By jonathancelio Hi guys, In this night, suddenly, my websites goes down, but my droplet don’t. So I entered in the server via SSH in my console and then show me that: “DigitalOcean Recovery Environment 17.04.1” So I enter here and see this huge problem with VestaCP, and my server is running in VestaCP, so I think that is the problem, but I don’t know what to do. I just use VestaCP to manage all sites and databases in one place, i dont use than to log in the control panel. ALL my web pages are offline and I need to going back all immediatly. Please take a look at Ticket #1446953

By MohdSohail Hey Guys! I followed instructions to checking and deleting the vulnerable files. I have also disabled vesta service. Vesta team has also released the security patch. I can’t install the patch without the internet connection. You guys please activate networking so that I can install the patch. And I am saying it again that I have disabled the vesta service. I also have changed the default vesta port from 8083 to something else. Please do it otherwise it’s a loss every day like everyone else. https://forum.vestacp.com/viewtopic.php?f=25&t=16575 The ticket I have raised - #1447354

By bbnchile Hey there!

Please!!! 1447790 vestacp release a patch, but i can’t apply with no connection… HELP PLEASE! View 1 response to this answer on our full site

By pasaro Hello DO team, I use vestacp and my droplet seems like got compromised.

I have checked there are gcc.sh and livudev.so.

Anybody here can pointed me out how to clean this step by step?

There is a huge long thread on vestacp forum that make difficulty to summarized a simple step by step to handle this situation.

I try to clone the droplet and immediately got another take down.

My ticket number:

first droplet : #1444597

second droplet: #1446615 Thanks in advance. View 1 response to this answer on our full site

By neotec My droplet was taken down for this issue. Now I wasn’t able to access my files to do necessary backups in order to move to another droplet. I can’t SSH and I can’t use the web console either (no access to existing files). How do I move my existing files. How do I back up and move my existing files to a new droplet? Please help with tieckt #1447622 ASAP! Thanks!

By neotec I have received an email from DigitalOcean saying “Because your Droplet may have been compromised, you’ll need to back up your data and transfer it to a new Droplet. We have a recovery tool to assist you…” I have two questions regarding this: 1) Where to find and how to use the recovery tool mentioned in the email? 2) The email suggests I move my files to a new droplet. But do I need to install VestaCP first on the new droplet and I should start with a blank droplet? Thanks!

By roncooletz I have already changed the default port. Now my droplet needs connectivity on the network. Please see my ticket #1444662. Thank you.

By romkond Hi,

how can I download files (eg. data base dump) from my server to my PC (Windows 7) using DO console (can’t use FTP clients and PuTTy because you blocked them)?

By blissrob Please review Ticket #1447360 Like many others, this VestaCP complete network block is impacting many many live users. Many of my servers have only recovery console available via direct console. This is an issue. Also, I only use secure SSH (alternate port with key) to access my servers and have no known root password. So for others that do not have recovery console, I cannot access either. This is 100% downtime on all my droplets.

I can run script to resolve issue across all droplets quickly if networking is reenabled. Please review Ticket #1447360

By guru3dc3b30da436aa9ab0c5c7 Hey, About 10 hours i am waiting reply about my ticket: #1443782 Please help

By dld 8 hours wait here. Droplet checked. No infection. Admin port changed. Htauth set up for admin site. But no way to apply patch without network. Please re-connect me. 1447615 Also unsure why this server was singled out. We’re running 4 vesta servers. None infected. Only this one disabled. Other three patched within minutes. This one … still unable to patch.

By keloxers Please Helpme Ticket #1449452

By marianoconsoni Hi, due to time difference (I’m in GMT-3) I see this email monday morning when my customers started yelling me because they can’t use their emails and websites. I don’t need vesta control panel by now, just email and webservers.

I don’t receive answer on my ticket.

Ticket #1449553 Thanks. View 1 response to this answer on our full site

By blissrob Please review Ticket #1447360

I need access to my droplets in order to access data and update.

@ryanpq- Can you help?

@etel- Maybe you too? We need an inside advocate on this.

@jarland

By cloudd1fb0b307e I need help with Ticket #1449474. Please, answer me.

By blissrob @ryanpq - Are you able to help with this. You’ve always been very helpful to me and others in the past. We have thousands of users impacted and need an advocate.

By waldsonpatricio Please, check mine: #1446775

By aronjayvo Please check ticket number 1448697. The response time is awful.

By vsib Please check ticket 1443289. Requesting the Recovery Environment

By jaimegdelrio Four of my droplets are reboot and all files deleted, please, attend my ticket #1450226 Help

By prnnk Please check my ticket [Ticket #1446734]

By bangbible You systematically removed servers from the network without knowing the root of the issue. VestaCP its self was not the entire issue. Certain programs selected and installed along with Vesta were. You didn’t check if servers were running these programs you just removed paying customers from your network without notice. We were not compromised and you caused damage. You are still restricting access over an issue that does not affect us. You will not reply to tickets asking if you plan on removing servers in other locations for the same reasoning. You have not provided proof that such power was granted in the tos before this event.

By ooo34rus Hello.

I checking and deleting the vulnerable files and disabled vesta servise.

Please, turn networking back on my droplets.

My tickets:

1443988

1444356

1443758

1445561

1444295

1445503

1443986

1445408

1444179

1445568

1444180

1444228

1444550

1443958

1444881

1438893

1444417 View 1 response to this answer on our full site

By carlosbelcha Hi everyone with this problem TEMP SOLUTION Change the port by following: Change Port Then you can access on the new port with no issues (also make sure you update to 0.9.8-20 before changing the port), you can do that with: Check current version:

v-list-sys-vesta-updates

If not, 0.9.8-20 then run the following from CLI:

v-update-sys-vesta-all

That has the patch for the attack that was launched on Saturday 7th April that caused ports 8083 to be blocked in the first place. View 1 response to this answer on our full site

By prnnk Please answer my ticket #1446734

By zcheung I need help reactivating my server Ticket #1447558

By ms980896 Please answer my ticket #1444482

By archergod Since VestaCP release a patch and some of us already applied it. any idea when you will open ports? Or changing port in Vesta is only option we have for now? View 1 response to this answer on our full site

By prnnk Please check ticket #1448499, false disconnect, server was not compromised.

By wellington78dd896a2f4c0dc7 Please answer my ticket #1456045

By archosaur2 You just block my panel without any reson by your suspitions?

Guys in DO are you crazy ????

I’ll better switch hosting… View 1 response to this answer on our full site

By goncharoveg Hi, I disabled VestaCP on my servers. Can I be sure that the servers will continue to work and will not be disabled by you? View 1 response to this answer on our full site

By hakanbaysal Hi, Please follow the 4 steps below Firstly list firewall -> v-list-firewall

Change VestaAdmin port -> v-change-firewall-rule 2 ACCEPT 0.0.0.0/0 8888 TCP VestaAdmin

Edit conf file 8083 to 8888 -> sudo nano/usr/local/vesta/nginx/conf/nginx.conf

Restart vesta -> /etc/init.d/vesta restart View 1 response to this answer on our full site

By penchanda hi, please check my ticket. #1447504

By tim3b Ticket #1444863 continues to go without resolution for three days now. We have never used VestaCP though we depend specifically on port 8083 being available and open – as believed would be the case when choosing Digital Ocean over a year ago. It is unbelievable that Digital Ocean has marked the overall incident as “resolved” while paying customers are still experiencing significant downtime as a result… View 1 response to this answer on our full site

By neha We are on the same boat. Even today they closed the ticket #1445131 without opening 8083 port. Weird way to resolving things by blocking a port globally.

By archosaur2 Moved to Linode, panel and site works excellent, no need to begging weird support to unblock something.

PS. I used DO since 2015 but, no more.

By tothdaniel87 Hi, my droplet was affected by the VestaCP vulnerability. I host several sites on this droplet. I requested to boot it in the recovery tool to download data from it. I did it immediately and completely rebuilt the droplet with a new Debian image. I requested to boot the droplet back to it’s disk, but I get no answer…

So now it is almost 5 days since my droplet is offline and DigitalOcean do not answer on tickets.

I need the same IP address, because many domains are redirected to this IP, which I can not change. So rebuilding the droplet is the only option for me. I am using DigitalOcean for more than 4 years now, but this failure of support is shocking. Please respond something on my ticket: #1448429

By ooo34rus Hello.

I checking and deleting the vulnerable files and disabled vesta servise.

Please, turn networking back on my droplets.

My tickets:

1461992

1455447

1462500

1462122

1461845

1461882

1462015

1445568

1462125

1456021

1462120

1462123

1456046

By spidoyman Hello,

please check my ticket :) ==> Ticket #1474222

By karimhb Access the VPS via the emergency console. scan your VPS clamscan -r -i / I found the trojan here /lib/libudev.so: Unix.Trojan.DDoS_XOR-1 FOUND I successfully removed the trojan using the instructions on https://admin-ahead.com/forum/server-security-hardening/unix-trojan-ddos_xor-1-chinese-chicken-multiplatform-dos-botnets-trojan/ reboot your vps scan your VPS again clamscan -r -i / and make sure the cron job has been removed ls -la /etc/cron.hourly/ Now that the trojan has been removed. You can request to remove the ban on your VPS network.