CVE-2018-25117
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| linux | linux | * |
| vestacp | vestacp | * |
| lua | lua | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-506 | The product contains code that appears to be malicious in nature. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2018-25117 is a critical supply-chain compromise affecting VestaCP's Debian installer between May 31 and June 13, 2018. The compromised installer contained embedded malicious code that leaked administrative credentials (including base64-encoded admin passwords and server domain information) to an external URL during installation. It also installed and executed Linux/ChachaDDoS, a multi-stage DDoS bot malware that uses Lua scripts for its second- and third-stage components. This malware runs with local system privileges and causes infected servers to participate in large-scale DDoS attacks. The vulnerability was actively exploited in the wild and has a high severity score (CVSS v4 score of 9.3). The issue was fixed in later patches that removed the malicious code and improved security measures. [1, 8, 7]
How can this vulnerability impact me? :
This vulnerability can severely impact you by compromising your server's security and integrity. During installation, your administrative credentials can be leaked to attackers, allowing unauthorized access. The compromised installer installs a DDoS bot malware (Linux/ChachaDDoS) that runs with local system privileges, enabling attackers to control your server to participate in large-scale distributed denial-of-service (DDoS) attacks. This can lead to your server being used maliciously, potential service disruptions, unauthorized access, and loss of control over your system. Additionally, attackers may execute arbitrary payloads with elevated privileges and erase logs to cover their tracks, making detection and recovery difficult. [1, 2, 8, 7]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2018-25117 involves checking for indicators of compromise such as the presence of the malicious trojan binary /usr/bin/dhcprenew, which disguises itself as a kernel worker process. Administrators should verify if this binary exists and remove it if found. Monitoring for unusual SSH activity, such as unauthorized password changes without log entries and execution of suspicious payloads (e.g., files like /var/tmp/creator-x86_64-1), is important. Additionally, checking for the presence of the Linux/ChachaDDoS malware persistence mechanisms, such as init.d service scripts (/etc/init.d/dhcprenew) and symlinks in /etc/rc*.d/ directories, can help detect infection. Network detection can include monitoring outbound connections to suspicious IP ranges (e.g., 193.201.224.0/24 on port 8852) and unusual DDoS traffic patterns. Suggested commands include: - `ls -l /usr/bin/dhcprenew` to check for the trojan binary - `ps aux | grep dhcprenew` to see if the process is running - `ls -l /etc/init.d/dhcprenew` and `ls -l /etc/rc*.d/*dhcprenew` to check for persistence scripts - `grep -i 'creator-x86_64-1' /var/tmp/` and checking permissions with `ls -l /var/tmp/creator-x86_64-1` - Reviewing SSH logs (e.g., /var/log/auth.log or /var/log/secure) for suspicious activity, although attackers may have deleted these logs - Monitoring network connections with `netstat -anp | grep 8852` or using tools like `tcpdump` to detect connections to known C&C IPs Because attackers may erase logs and use stealthy methods, combining file system checks, process monitoring, and network traffic analysis is recommended. [2, 7, 8]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Verify if your server is compromised by checking for the presence of the /usr/bin/dhcprenew trojan binary and removing it if found. 2. Change all VestaCP admin passwords immediately, especially if you suspect compromise. 3. Update VestaCP installations to version 0.9.8-23 or later, which includes fixes for this vulnerability and removes the compromised installer behavior. 4. Ensure that your system is patched and that you use official, verified VestaCP packages from trusted repositories. 5. Restrict SSH access by using strong passwords, disabling root login, and employing IP whitelisting or key-based authentication. 6. Monitor for unusual SSH login attempts and brute-force attacks, and consider using tools like fail2ban. 7. Check for and remove any suspicious files or payloads such as /var/tmp/creator-x86_64-1. 8. Review sudo permissions to ensure they are limited to necessary commands only. 9. Monitor network traffic for connections to known malicious IP ranges and block them if possible. These steps help prevent further exploitation, remove existing malware, and secure the environment against similar attacks. [2, 7, 8]