Web Terminal Hack

JvwComputing · May 29, 2026, 1:27pm

Same here. Also had to remove libnss_cache.so.2

masterguru · May 31, 2026, 9:40am

In my case the vulnerability was exploited since February 26 in several of my HestiaCP servers, integrating them in a botnet.

So take attention to these files too:

/etc/systemd/system/health.timer
/etc/systemd/system/health.service
/etc/systemd/system/timers.target.wants/health.timer

If you find them then you server is in a botnet.

Follow these steps to remove them:

systemctl stop health.timer health.service
systemctl disable health.timer health.service
rm /etc/systemd/system/health.timer \
   /etc/systemd/system/health.service \
   /etc/systemd/system/timers.target.wants/health.timer
systemctl daemon-reload

# verify they are gone
systemctl list-timers | grep health

jasonwch · May 31, 2026, 11:13am

One more ask, may I know how do ths web terminal service be exploited? through the port accessing HestiaCP?

Coz I didnt reverse proxy a domain for HestiaCP, and Hestiacp is only accessible by a specific port which is blocked for most of the countries

tom1 · May 31, 2026, 3:28pm

The rule in cybersecurity is that when RCE occurs, the server can no longer be trusted. Attacker might have set up their own SSH keys, installed rootkits to conceal other malicious processes, changed passwords or stolen databases.

pakdhetimin · June 3, 2026, 5:02am

i have upgraded from v1.9.4 to 1.9.6 (debian 12) and web terminal installed.

is this upgrade fix (remove) that security issue on web terminal plugin? because after upgraded to 1.9.6, web terminal stop working so i disabled it.

sahsanu · June 3, 2026, 7:25am

Yes, it’s supposed to fix it.

Also, yes, the web terminal is missing the Node.js modules it depends on, as well as some additional components/conf. I opened an issue about this, but no further details have been provided yet:

github.com/hestiacp/hestiacp

[Bug] Hestia 1.9.5 - Web Terminal doesn't start

opened 09:36PM - 28 May 26 UTC

sahsanu

bug

### Describe the bug After the upgrade to Hestia 1.9.5, the `hestia-web-termina…l` service doesn't start and it's because it doesn't have the `node_modules` installed. To fix it: ``` cd /usr/local/hestia/web-terminal npm install ``` After that the service starts but if you try to use the web terminal you only get: ``` Your session has expired. ``` And that's because it tries to use a missing php file `/usr/local/hestia/web-terminal/web-terminal-session-auth.php`: ``` server.js[242164]: Could not open input file: /usr/local/hestia/web-terminal/web-terminal-session-auth.php server.js[242164]: Session helper failed for 3la6dl33js19afb150tmlq2v9g, refusing connection: Command failed: /usr/local/hestia/php/bin/php /usr/local/hestia/web-terminal/web-terminal-session-auth.php 3la6dl33js19afb150tmlq2v9g ``` @divinity76 Could you please take a look? ### Tell us how to replicate the bug Try to connect to Web Terminal. ### Which components are affected by this bug? Control Panel Web Interface, Control Panel Backend ### Hestia Control Panel Version 1.9.5 ### Operating system Debian 12 ### Log capture ```shell ```

I recommend disabling it until further notice.

fwm · June 7, 2026, 8:16am

you should check for:

a dropper/loader: /usr/lib/__hesti/__hesti
a preload reference: /etc/ld.so.preload

and try to get rid of those too - the dropper/loader was a bit of a pain and I couldn’t get rid of it until I got some help from ChatGPT…

maurice · June 7, 2026, 9:22am

Once a server is compromised you can’t trust it anymore. Wipe it, reinstall, and only restore backups from before the hack (that is, if the backups are stored on a different system which isn’t compromised).

JvwComputing · June 7, 2026, 3:15pm

Thank you, yes I also removed /usr/lib/__hesti/__hesti and /etc/ld.so.preload.

dotasense · June 9, 2026, 2:38am

Are there any scripts to check if my server has been compromised?

jasonwch · June 10, 2026, 1:47pm

May I know the actual exploit details? like through HCP port to get access to web terminal hack? or

I didnt do reverse proxy to HCP, I access it with port suffix