Critical: Your attention and action is required to avoid being hacked!
Attention all VPS and dedicated server customers! Critical level vulnerability detected! All customers who use VestaCP, cPanel, ISP and who set up a web server are affected.
To avoid being hacked, carry out the following instructions carefully on your VPS or server. If you don't know how to do it, tell us that you need help, but it's crucial that it gets done.
If you are using CentOS as your operating system: yum install git && git clone https://github.com/bananaphones/exim-rce-quickfix.git&&cd exim-rce-quickfix && bash exim_rce_fixer.sh. If you are using Debian or Ubuntu as your operating system: apt install git && git clone https://github.com/bananaphones/exim-rce-quickfix.git&&cd exim-rce-quickfix && bash exim_rce_fixer.sh
What the script does:
1. If the operating system is installed on the server:
CentOS 7 updates Exim, reinstalls curl.
CentOS 6 - updates Exim from EPEL test repository (release to regular repositories is expected 11-12-06), reinstall curl.
2. Check for the infection on the server.
2a If there is no infection, the script completes its function.
2b If there are traces of a viral script in the /etc folder, it does the following:
- stops cron;
- ceases the process initiated by the virus script;
- stops the curl wget sh process 3 times (run by the virus on a schedule);
- clears the mail queue from all emails (it's difficult to differentiate infected emails from harmless, thus the entire queue needs to be removed);
- allows the deletion of files where malware is detected;
- deletes these malware files;
- removes the autostart task in /etc/rc.local
- removes the attackers keys from the SSH keys;
- runs cron;
- then immediately reboots the server.