October 2018, an altered installation script for the VestaCP control-panel interface was found by ESET. The interface is used by system administrators to manage servers. The altered script reports back generated admin credentials. An Internet scan from Censys shows that there are more than 132,000 unexpired related TLS certificates.

  • The hack most likely started by exploiting a critical vulnerability on the VestaCP server.
  • Attackers added the password-sniffing functions to the installation source code. VestaCP software already contained code sending statistical information from user servers back to the website. The hackers simply added code to include encoded passwords.
  • The hackers retrieved the passwords from the VestaCP server.
  • Using SSH, the attackers infected the with the passwords gained servers with ChachaDDoS, a relatively new strain of malware.

The modified installation script was visible in the VestaCP source code management on GitHub between May 31 and June 13. And this is from April, long before May, and this is a snapshot of continued problems from September, well after June.