Today we started to see our packet counter monitors triggering all over the place. At a closer look we’ve noticed a common pattern: scripts flooding from customers’ virtual machines running Kloxo.
A zero-day exploit has been identified in Kloxo control panel today. Here’s a discussion related to this.
We decided a few hours ago to proactively fix this inside ALL machines running Kloxo:
- identify offending script that was uploaded and
chmod 0the directory
- stop the kloxo daemon
- email each and every (!) customer about this exploit and explaining the actions we took
Ionut and Ovidiu have just completed these steps and we managed to stop this pest, for now.
We don’t normally run commands inside customers’ virtual machines, but we decided that it’s the best action we can take in the interest of everyone involved. And by everyone, I mean everyone: compromised machine’s owner, other IntoVPS customers, IntoVPS employees and stakeholders, internet community.
Here’s the email we’ve sent:
Subject: IntoVPS – Kloxo installation compromised for server
You are receiving this notification because you are running Kloxo panel management on your VPS named XXXXXXX.
It seems that Kloxo installations are compromised with a randomly-named PHP file placed into /home/kloxo/httpd/default/, which is the ‘default’ site accessible by IP address and that kloxo appear to be spawning a large number of httpd processes. Further investigation shows they’re all sending out volumes of traffic as part of a ddos.
Here is an example of a compromised file uploaded in /home/kloxo/httpd/default: http://disclosed.info/?7c12a1a4560b7664#5fpnfdknf4EfBcGqLjeV9/vAY1RXEKkLC3+fqm16c6E=
At this moment there isn’t any fix published for Kloxo and as a workaround for this particular issue, we are going to change the permission of that folder to 0 with the following command:
chmod 0 /home/kloxo/httpd/default/
chmod 0 /home/admin/*/cgi-bin
Also is it better for now to stop kloxo daemon until a proper fix is released.
We also noticed the same particular file being uploaded in the cgi-bin folders of the website managed by admin users. I strongly advice to check this as well and remove or change permission of those files that contains the same patern as soon as possible.
If you have any questions, please let us know.