We decided a few hours ago to proactively fix this inside ALL machines running Kloxo:
identify offending script that was uploaded and chmod 0 the directory
stop the kloxo daemon
email each and every (!) customer about this exploit and explaining the actions we took
Ionut and Ovidiu have just completed these steps and we managed to stop this pest, for now.
We don’t normally run commands inside customers’ virtual machines, but we decided that it’s the best action we can take in the interest of everyone involved. And by everyone, I mean everyone: compromised machine’s owner, other IntoVPS customers, IntoVPS employees and stakeholders, internet community.
Here’s the email we’ve sent:
Subject: IntoVPS – Kloxo installation compromised for server
You are receiving this notification because you are running Kloxo panel management on your VPS named XXXXXXX.
It seems that Kloxo installations are compromised with a randomly-named PHP file placed into /home/kloxo/httpd/default/, which is the ‘default’ site accessible by IP address and that kloxo appear to be spawning a large number of httpd processes. Further investigation shows they’re all sending out volumes of traffic as part of a ddos.
Here is an example of a compromised file uploaded in /home/kloxo/httpd/default: http://disclosed.info/?7c12a1a4560b7664#5fpnfdknf4EfBcGqLjeV9/vAY1RXEKkLC3+fqm16c6E=
At this moment there isn’t any fix published for Kloxo and as a workaround for this particular issue, we are going to change the permission of that folder to 0 with the following command:
Also is it better for now to stop kloxo daemon until a proper fix is released.
We also noticed the same particular file being uploaded in the cgi-bin folders of the website managed by admin users. I strongly advice to check this as well and remove or change permission of those files that contains the same patern as soon as possible.
Arch Linux 2012.05 is now available to install on your VPS. It contains needed fixes to run properly on OpenVZ. As usual, you can reinstall your VSP from Hypanel or order a new one and choose this template.
On April 5th 2012 we will remove the live chat support. We feel that your questions are much better answered in email and this is a much well suited support channel for our VPS hosting service.
Our support staff will continue to be available 24/7 and our target is to answer any ticket in a few minutes, our current response time being under 10 minutes. You can also reach us by phone at +40 364 566 777.
I want to remind you about our community support channels where you’ll find other customers and also our staff:
We’re launching our second Amsterdam location: the Evoswitch data center. We’ll continue to use the Leaseweb network and services here too, just the physical location is changing.
All new orders for Amsterdam are now deployed in Evoswitch.
Here’s the data center presentation:
Amsterdam 1 (Easynet data center) is full and we’re no longer deploying VPS systems there. But if for some reason you really want a VPS in Amsterdam 1, we might still find some room for 1 or 10 VPS’es.
We are moving all our hosted VPS systems from Cluj-Napoca, Romania to the Omnilogic data center, near Bucharest.
Omnilogic the newest data center in Romania and the only one that is tier 3 certified.
You can find more details about the data center here.
Customers will also experience improved network latency of up to 20 ms due to the fact that all ISPs are peering are done in Bucharest and because we’ll be using one of the best connected and engineered networks in Romania: the Hostway network. You can test latency and run trace routes to 22.214.171.124.
This is an important step forward and it will improve the uptime, stability and performance of our VPS systems in Romania.
All customers have been emailed and informed regarding the details of this migration.
Customers that are not hosted in Cluj-Napoca, Romania will not be affected by this migration.
IP addresses of your VPS will not change during this migration.
We are expecting to complete the migration of all VPS systems in Cluj-Napoca in 3 months.
We are also replacing all our servers with new hardware that runs on Intel Xeon E3-1230.
Besides the performance and stability gain, all new servers use hot swap hard drives allowing us to replace failing disks without rebooting the server and with no interruption to customer’s VPS systems.
And the Super Micro remote console (IPMI) allows us to work on a server even if the OS is no longer responding.
You can also migrate your VPS by yourself if you prefer: just order a new VPS and move your data. Once you’re done open a support ticket and tell us to delete your Cluj VPS and move the remaining paid service days to the newly ordered VPS. Our office we’ll not move to Bucharest. You’ll find us in Cluj-Napoca at the same address.
If you have any questions you can chat with other customers our forum or open a support ticket.
All VPS orders in Romania are now being deployed in Omnilogic, Bucharest.
After launching our new site yesterday (don’t forget to visit our new forum, by the way: http://www.intovps.com/forum/) we’re now opening a new location: London, UK.
We’ve kept our excellent prices even in London, which is usually higher priced. Our VPS packages start at $10 / month, as usual.
Our servers are placed in the Virtus Data Center (or “data centre”, if you like ;)) in Enfield, 12 miles North from the center of London. The network, operated by Coreix, offers very low latency for UK customers and includes links to: Tiscali International, Level 3, Abovenet, Enta, Goscomb, LINX, LONAP.
Here’s an IP for ping and trace route tests: 126.96.36.199. We’ll add a download test shortly.
Some of the IntoVPS staff members will be hanging at WHD Cluj tomorrow.
Ironically, just a couple of days ago we found out about the event – which is happening in our town, Cluj-Napoca – from some Dutch partners. I think the event was poorly promoted since the Romanian hosters that we talked to did not know about the event.
We don’t have a formal exposition booth but we’ll attend some the presentation and we’ll be hanging at the hotel.
If you want to say hi and meet us tweet something with the #intovps tag (you can also use @intovps) or leave a comment below.