New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
truly fascinating thread. so how exactly they hacked. Is that zpanel problem or apache?
doubt apache
What does L1/L2 Proxies means?
The question is, how did they have access to your box?
Simple password or you did enable the root login.
In this case it seems like Apache, but ZPanel has its own problems as well.
@freek -> My VPS has been compromised! -> C'est la vie
Honestly, I think it's just bad karma for using David Hasselhoff as your avatar.
Alright guys, to clear some things up: My VPS was comprimised in a way that they were able to use it as a public proxy. They did not have SSH access nor root access. It seems that ZPanel installs/configures Apache with mod_proxy, but does not limit proxy requests to localhost. Therefore everyone was able to use mod_proxy using my VPS on port 80. That's all. No more, no less.
See above.
See above.
Honestly, I think it's just bad karma for using David Hasselhoff as your avatar.
C'est la vie. Sucks being you I guess, since that's not my 'vie'.
Don't hassle the Hoff!
Once again thanks for the quick responses and support. The main problem now is moving forward/getting back online without hundreds of IPs hammering my box to use it as a proxy. If all else fails, I guess I have to ask for a new IP.
What have we learned from this? If using ZPanel, check if mod_proxy is enabled, and if so, turn it off or limit it to localhost.
http://www.oudmaijer.com/2010/12/20/apache-mod_proxy-abuse/
@Freek - Just throwing a bit of humor into the mix.
I would never dream of it!
Have to ask - is this the same VPS you were slamming for poor performance in another thread?
Nope. Not even close. Different country, different provider.
Look like Prometeus IP to me.
Why is David Hasselhoff so popular in Germany ?
For instance, Germany seems to be the only country that likes his music. lol. Could his surname be a clue ?
I just checked his Wiki page and found that :
Haha.
install a Firewall right now
Correct.
Anonymous - Level 2 (L2): the web server knows that you are probably using a proxy, but it can't detect your real IP.
lol, I certainly wasn't L1 nor L2. How much IPs do you want?
As @joepie91 had pointed many times Zpanel is a security disaster. If you still use it you must at least :
1) Change postfix user password on PHPMyAdmin and then update following files.
Believe it or not the password for postfix was postfix and it was hardcoded in all the following files which you have to change.
/etc/zpanel/configs/postfix/mysql-relay_domains_maps.cf
/etc/zpanel/configs/postfix/mysql-virtual_alias_maps.cf
/etc/zpanel/configs/postfix/mysql-virtual_mailbox_limit_maps.cf
/etc/zpanel/configs/postfix/mysql-virtual_mailbox_maps.cf
/etc/zpanel/configs/postfix/vacation.pl
/etc/zpanel/configs/postfix/vacation.conf
/etc/zpanel/configs/postfix/mysql-virtual_domains_maps.cf
/etc/zpanel/configs/dovecot2/dovecot-mysql.conf
/etc/zpanel/configs/dovecot2/dovecot-dict-quota.conf
/etc/zpanel/configs/dovecot2/dovecot-trash.conf
/etc/zpanel/configs/dovecot2/dovecot.conf
2) Add .htaccess and .htpasswd Authentication
nano /etc/zpanel/panel/.htaccess
AuthType Basic
AuthName "Restricted Access"
AuthUserFile /etc/zpanel/panel/.htpasswd
Require user someusername
generate the password to your username
http://www.htaccesstools.com/htpasswd-generator/
nano /etc/zpanel/panel/.htpasswd
someusername:generated-password
3) Change default paths and lockdown management IPs using .htaccess
order deny,allow
deny from all
allow from 127.
allow from xxx.
4) Install CSF firewall
5) Delete the file:
/etc/zpanel/panel/modules/backupmgr/code/getdownload.php
6) Move to webmin or any other panel as soon as possible
My thanks to @joepie91
FYI I've stopped using ZPanel and moved to Webmin, as soon I've found out that this misconfiguration issue was caused due by ZPanel. So no worries
I just realized that never saw that picture and thought it was really some crazy guy n'named @Freek stuck in the 80s.
Sorry about that @Freek
I have laughed many times at your unknown expense, and that's in my head not even in an IRC. Wow.
No, correct path is:
/var/log/nolongersecure
Shine some /var/log/autobootfailingmeuphere plox. #inb4itgetsold
Erm, well you're welcome I guess