Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


For zPanel Users
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

For zPanel Users

MaouniqueMaounique Host Rep, Veteran

Please check your server load, if it is very high and you have a process called ksoftirqx using the cpu, it is time to think to another panel and reinstall. Lately there was an epidemic of such issues, I am now dealing with 3-4 cases A DAY!

Comments

  • FritzFritz Veteran

    what is ksoftirqx thing?

  • SpencerSpencer Member
    edited April 2014

    The devil user @zen made this little script to help detect the abuse:

    http://pastebin.com/raw.php?i=8bJCPCBQ

    A notice for you all! Dont run zpanel with an unsecured tmp!!!

    Thanked by 1Maounique
  • lazytlazyt Member
    edited April 2014

    http://www.tin.org/bin/man.cgi?section=9&topic=http://www.tin.org/bin/man.cgi?section=9&topic=ksoftirqd

    Whoops brain fart day just noticed you had the x not the d. I had intterupt problems on a laptop and the ksoftyirqd was doing that.

  • MaouniqueMaounique Host Rep, Veteran
    edited April 2014

    That is not what i said, ksoftirqd is legit, however, you will not see it in a container because it does not have own kernel, only on the node.

    @Spencer said:
    The devil user serverian made this little script to help detect the abuse:

    http://pastebin.com/raw.php?i=8bJCPCBQ

    A notice for you all! Dont run zpanel with an unsecured tmp!!!

    Thanks, but I really had enough of zPanel, better put it to rest :(
    It also does not solve the issue on xen/kvm.

  • Kill the process of ksoftirqx.

  • MaouniqueMaounique Host Rep, Veteran

    pauliakas said: Kill the process of ksoftirqx.

    Right, this surely solves the problem...

  • AlexanderMAlexanderM Member, Top Host, Host Rep

    I'd just not let clients use zpanel. More trouble that it's worth.

  • @Maounique said:
    Please check your server load, if it is very high and you have a process called ksoftirqx using the cpu, it is time to think to another panel and reinstall. Lately there was an epidemic of such issues, I am now dealing with 3-4 cases A DAY!

    Just tell your clients to update zPanel to the latest version and make sure you explain to them that they have an UNMANAGED service and having a VPS comes with some responsibilities. It is their job to keep the software up to date, not yours.

  • wychwych Member
    edited April 2014

    @DarioX said:
    Just tell your clients to update zPanel to the latest version and make sure you explain to them that they have an UNMANAGED service and having a VPS comes with some responsibilities. It is their job to keep the software up to date, not yours.

    But that alone turns it into a managed product finding the ones that do and prompting them to re-act to system changes.

    Granted, it is quite a simple way to do it.

  • wychwych Member

    @Zen said:
    No, it adds value to service.

    True, don't get me wrong im not saying that it shouldn't be done, just trying to re-affirm that most VPS on here are unmanaged and thus proper system admin should be done.

  • @wych said:
    True, don't get me wrong im not saying that it shouldn't be done, just trying to re-affirm that most VPS on here are unmanaged and thus proper system admin should be done.

    "An ounce of prevention is worth a pound of cure."

    In other words, if finding and notifying affected clients is less work than cleaning up after them, such as dealing with suspensions and unsuspensions, then by all means find and notify them.

  • MaouniqueMaounique Host Rep, Veteran
    edited April 2014

    petris said: In other words, if finding and notifying affected clients is less work than cleaning up after them,

    That would be perfectly okay if you feel fine with looking into the customer's files, not to mention the pain with KVM encrypted file systems, for example...

    I am not saying an automated tool like that would be bad (except the fact that it makes changes int he files, but could be used only to notify, for example), however it does not work in all cases, and it is better to fight the spread of a way of thinking, because, if people use insecure products today and dont even update them, will do the same tomorrow if there are no consequences.

    No, as long as the host does not have the root password, a managed product and a ToS which allows snooping around, that is not a solution. I do notify the customers when I see that AFTER the load on the server told me something is wrong. I do not go in without a just cause, but if I do find them using zPanel AGAIN after being hacked before and receiving the same advice, then it is time to part ways.

    Thanked by 1AuroraZ
  • wychwych Member

    @Maounique said:
    That would be perfectly okay if you feel fine with looking into the customer's files, not to mention the pain with KVM encrypted file systems, for example...

    Yeah I don't look through files.

  • Me_BMe_B Member

    @Maounique said:
    Please check your server load, if it is very high and you have a process called ksoftirqx using the cpu, it is time to think to another panel and reinstall. Lately there was an epidemic of such issues, I am now dealing with 3-4 cases A DAY!

    Sorry did this affect 10.1.1 zpanel? Would please give more details if you had? We are trying our best to investigate the issue. All our investigations led to the old zpanel that we fixed.

    Thanks again

    M B

    Thanked by 1sz1hosting
  • jvnadrjvnadr Member

    @Maounique @Me_B I have 3 vps's with zpanel installed, for testing purposes and one of them for testing a shoutcast module. As Maounique said, there is indeed an epidemic of high load cpu use in the previous version of ZPanel. I already removed them just after I did a short examination of the boxes. I didn't find ans suspicious code there, but, it probably had been hacked or something, because the issue started occur the last 4-5 days, with a day timeline between servers! All the three servers was installed with zpanel lot of months ago and I didn't use them or examine them for a while (as I said before, I just wanted to test this panel). Me_B, I was sceptistic about the criticism against zpanel, but there are probably a lot of issues to how your community handles the problems. If you discovered a big hole that caused such a behavior to the servers, then, you should give users a big warning about the specific issue calling them to immediatelly remove older versions with details about the nature of the problem. E.g., did the boxes hacked? Are the passwords stored there stolen?

  • Me_BMe_B Member

    @jvnadr said:
    Maounique Me_B I have 3 vps's with zpanel installed, for testing purposes and one of them for testing a shoutcast module. As Maounique said, there is indeed an epidemic of high load cpu use in the previous version of ZPanel. I already removed them just after I did a short examination of the boxes. I didn't find ans suspicious code there, but, it probably had been hacked or something, because the issue started occur the last 4-5 days, with a day timeline between servers! All the three servers was installed with zpanel lot of months ago and I didn't use them or examine them for a while (as I said before, I just wanted to test this panel). Me_B, I was sceptistic about the criticism against zpanel, but there are probably a lot of issues to how your community handles the problems. If you discovered a big hole that caused such a behavior to the servers, then, you should give users a big warning about the specific issue calling them to immediatelly remove older versions with details about the nature of the problem. E.g., did the boxes hacked? Are the passwords stored there stolen?

    You want warning? What about checking news section in zpanel? You got there all zpanel annoncements!

    It's RSS feed from:

    http://forums.zpanelcp.com/Forum-News-Announcements--36

    See the issues were reported 2 month's ago by the team.

    You can subscribe to zpanel security email list:

    https://groups.google.com/forum/#!forum/zpanel-alerts

    AND all users received emails.

    We are thinking about SPAMMING ALL our forum users too, but still checking that. So do you think that we kept it secret?

    You should check the announcements, at least those in the control panel it self! We might think to add a popup over this but the easiest way is the mailing list, and we send 2 emails over the issues. A lot of users immediately rushed and upgraded.

    You just needed to upgrade not remove the last release.

    M B

  • Me_BMe_B Member

    Forgot you still have zpanel twitter account:

    https://twitter.com/ZPanelCP

    And facebook page:

    https://www.facebook.com/ZpanelCP

    And we will add a blog/news section too for security....

    So I will be happy @jvnadr if you point me how we can improve more our zpanel alerts?

  • MaouniqueMaounique Host Rep, Veteran
    edited May 2014

    @Me_B said:
    M B

    I am sorry, but cannot disclose customer data, in fact, I am not even looking in the VPSes, I just saw the process, investigated it a bit, saw it was linked to zPanel, stopped right there as in many other hacking cases before. I am not joking or lying, I have nothing to gain from it, I am promoting Virtualmin GPL because development of EHCP I liked before stopped, zPanel is the source of way too many headaches to be worth looking into yet another issue, I am sorry, I know how it is as I was once a developer and QA for some software, but this is simply too much. Other panels have bugs, other panels are hard to use, other panels cost money and have bugs and are hard to use, etc, but none has so many security issues being in active development as zPanel. This is the sad truth, it forces me to recommend everyone I see spamming, DDoSing, with huge load out of the blue without even checking if they use it to get rid of zPanel, and, guess what, most reply I didnt know there is a problem with it :(

    Thanked by 1lazyt
  • wychwych Member

    Mao, that was well written and about the best post on this forum to summarise the issues with zPanel.

    Thanked by 2Maounique lazyt
  • MaouniqueMaounique Host Rep, Veteran

    wych said: well written

    :o

  • Me_BMe_B Member

    @Maounique said:
    I am sorry, but cannot disclose customer data, in fact, I am not even looking in the VPSes, I just saw the process, investigated it a bit, saw it was linked to zPanel, stopped right there as in many other hacking cases before. I am not joking or lying, I have nothing to gain from it, I am promoting Virtualmin GPL because development of EHCP I liked before stopped, zPanel is the source of way too many headaches to be worth looking into yet another issue, I am sorry, I know how it is as I was once a developer and QA for some software, but this is simply too much. Other panels have bugs, other panels are hard to use, other panels cost money and have bugs and are hard to use, etc, but none has so many security issues being in active development as zPanel. This is the sad truth, it forces me to recommend everyone I see spamming, DDoSing, with huge load out of the blue without even checking if they use it to get rid of zPanel, and, guess what, most reply I didnt know there is a problem with it :(

    I understand and have such issues with joomla.

    You could ban/ Kick users. But again they will put back jooma/zpanel and all "the crap" a good admin hate.

    I just said at least report issues, we don't even ask for your customers data.

    The problem is getting users to update. I just had yesterday a user updating from 10.0.1 ( 3 releases since then) and had to help manually to fix the upgrade process.

    @Maounique as I said you can help, don't disclose data, you have developers eager for feedback. And we will do our best to get rid of this mess.

    Please notice 10.1.0 security issues are round cube / pchart, it was not even an internal bug from our core dev, but third parties.

    There is lot to do here... I feel we are begging here for feedback!!!!!!!!!!!

    My last post here... as seriously no one would take 5 min to push zpanel forward.

    By the way hostwinds is zpanel sponsor and they are reporting no issues as they tailored an offer for zpanel and update it.

    Some humour by a zpanel user ;)

    M B

  • MaouniqueMaounique Host Rep, Veteran
    edited May 2014

    That's cool for zpanel users, seems your people know themselves well.

    Here are people talking about hosting and zPanel is bad for hosts and their customers. As a consequence, this is not the best place to advertise it, the hacked customers and their hosts will not like it.

    That being said, since you already know who your customers are (from the cartoon you posted and they are aware too) you should make a secure version for them and leave the bloated version for hosts such as your sponsor. They can secure it and plug holes even before the threads get deleted.
    As for the average joe, will do with the simple version without much third party apart from the basic minimum such as an web server, a ftp one, dns, mysql, php, and some scripts such as phpmyadmin and the UI, of course. It would be best to do custom versions compiled at installation, but, if not possible, just stick with one distro.

  • If you want to use zpanel:

    A) Join the security email list:
    www.forums.zpanelcp.com/Thread-Sign-up-to-our-ZPanel-security-and-patch-alerts-mailing-list-to-be-kept-notified

    B) Log into the panel and read the news for important updates from time to time.

    C) Update your panel when patches are released.

    It would be great to see providers post zpanel version numbers related to the compromised accounts. Probably outdated versions. If you don't want to snoop (great btw) ask a couple clients to check their version.

    Zpanel should implement in-panel upgrading with the option of auto upgrade because some folks can't be bothered with entering a single command into putty.

  • lol that image was funny

Sign In or Register to comment.