ksoftirqdx

Nick_A · May 3, 2014

Well, it's changed to "auditd" now.

MartinD · May 3, 2014

Nick_A said:
Well, it's changed to "auditd" now.

Was gonna post the exact same thing

Nick_A · May 3, 2014

I think we're at 10 shutdowns and counting this morning.

MartinD · May 3, 2014

Are you telling the customers and giving them info or..?

Nick_A · May 3, 2014

Yeah same info as previous hack. Considering banning zpanel.

MartinD · May 3, 2014

I'm edging towards the same. Just not worth the hassle at all.

Can lead a horse to water and all that

Magiobiwan · May 3, 2014

Anyone have a hash of the binary? Next time I spot a compromised VPS I'll grab an md5 hash of the binary, but if anyone has it now, that would be useful. Still out of /tmp I assume?

MartinD · May 3, 2014

Yeah, still from /tmp

serverian · May 3, 2014

#!/bin/bash

containers=$(ls /vz/private/)
for CTID in $containers
do
if [ -d /vz/private/$CTID/etc/zpanel/ ]; then
echo "VM: $CTID running zPanel"
# avoid too many arguments error
MOUNTED=$(vzctl exec $CTID cat /proc/mounts | grep /tmp)
if [ -z "$MOUNTED" ]; then
echo "VM ID: $CTID is running zpanel and tmp is not secured. Wanna secure it? (y/n)"
read ANSWER
if [ $ANSWER == "y" ]; then
echo "Done on VM ID: $CTID"
vzctl exec $CTID rm -rf /tmp
vzctl exec $CTID mkdir -p /tmp
vzctl exec $CTID echo none /tmp tmpfs nodev,nosuid,noexec 0 0 >> /etc/fstab
vzctl exec $CTID mount /tmp
fi
fi
fi
done
Run on the nodes and done! No need to suspend those poor bastards!

Credits goes to @Zen

Me.B · May 5, 2014

Nick_A said:
I think we're at 10 shutdowns and counting this morning.

Hi,

Could check zpanel they are running. The reports we got it try to hack old zpanel 10.1.0 that we released security patch.

Zpanel used pchart2 lib that had 0 day flaw. So we updated zpanel. And seem now hackers 2 month's later use our security notice to hack zpanel again.

I would apreciate if you have any infos logs. You can pm me if it requires privacy.

M B

Me.B · May 5, 2014

This is custom enhanced .htaccess, you should advice zpanel users to set and this will limit much of the possible damage.

RewriteEngine on
RewriteRule ^api/([^/\.]+)/?$ bin/api.php?m=$1 [L]
RewriteRule ^apps/([^/\.]+)/?$ etc/apps/$1 [L]

RewriteRule ^(etc/tmp|etc/zppy-cache|/etc/lib/pChart2/cache|etc/build) - [F,L,NC]

# - deny access to some locations
RewriteRule ^/?(\.git|\.tx|SQL|bin|config|logs|temp|tests|program\/(include|lib|localization|steps)) - [F]
# - deny access to some documentation files
RewriteRule /?(README\.md|composer\.json-dist|composer\.json|package\.xml)$ - [F]

Also roundcube shipping with 10.1.0 have an RCE so it need to be updated.

M B

Me.B · May 5, 2014

serverian said:
#!/bin/bash

containers=$(ls /vz/private/)
for CTID in $containers
do
if [ -d /vz/private/$CTID/etc/zpanel/ ]; then
echo "VM: $CTID running zPanel"
# avoid too many arguments error
MOUNTED=$(vzctl exec $CTID cat /proc/mounts | grep /tmp)
if [ -z "$MOUNTED" ]; then
echo "VM ID: $CTID is running zpanel and tmp is not secured. Wanna secure it? (y/n)"
read ANSWER
if [ $ANSWER == "y" ]; then
echo "Done on VM ID: $CTID"
vzctl exec $CTID rm -rf /tmp
vzctl exec $CTID mkdir -p /tmp
vzctl exec $CTID echo none /tmp tmpfs nodev,nosuid,noexec 0 0 >> /etc/fstab
vzctl exec $CTID mount /tmp
fi
fi
fi
done
Run on the nodes and done! No need to suspend those poor bastards!

Credits goes to @Zen

Great hack but I can provide you with paths to delete if you want.

Or more interesting ways to check zpanel version.

Notice zpanel use also those temp directories:

/var/zpanel/temp

and

/etc/zpanel/panel/etc/tmp

M B

MartinD · May 9, 2014

Changed again....

"pxinit"

exe -> (deleted)/dev/shm/40A/work/pxinit

SkylarM · May 9, 2014

MartinD said:
Changed again....

"pxinit"

exe -> (deleted)/dev/shm/40A/work/pxinit

Just woke up to about 20 or so containers running the lovely auditd .ICE-unixx.

Me.B · May 11, 2014

Take care /tmp permission is bringing down mysql for zpanel users.

Got yesterday many reports over that and users only solution is flipping back permissions. We need to collaborate:

See here:

http://forums.zpanelcp.com/Thread-Fatal-error-Uncaught-exception-PDOException-with-message-SQLSTATE-42000

http://forums.zpanelcp.com/Thread-SOLVE-MySQL-Error-0100-Unable-to-connect-unable-to-write-tmp

twice /tmp issue yesterday.

M B

Me.B · May 11, 2014

The main problem is over mysql. so avoid breaking it we might change default mysql temp folder to /var/temp.

This would allow 666 /tmp without side effects.

Did you notice guys the user running the process? We could ban apache executing there too?

We are trying our best to help over this.

M B

MartinD · May 11, 2014

Or... just fix it.

WebSearchingPro · May 17, 2014

Not sure if anyone brought it up yet, but these processes are actually bitcoin mining software in the form of malware.

Tracked the traffic back to a central stratum mining address.

It deletes itself after it runs and runs in memory to prevent deconstructing it.

Me.B · May 19, 2014

MartinD said:
Or... just fix it.

BUT it's already fixed since month's !! this affect the old release. You always react like we don't issue patches.

I just pointed the limit of the current solution.

Replacing with a sed the temp directory in /etc/my.cnf will avoid customers troubles and save your time dealing with ranting customers.

M B

MartinD · May 19, 2014

Have you told customers that your product has been updated to resolve an issue..and what that issue is?

ksoftirqdx

Provider of the year (2014)

Retired Staff

Provider of the year (2014)

Retired Staff

Provider of the year (2014)

Retired Staff

Insert Witty Statement Here

Retired Staff

Well-Known Member

New Member

New Member

New Member

Retired Staff

Well-Known Member

New Member

New Member

Retired Staff

VPS Peddler

New Member

Retired Staff