Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

My VPS has been compromised! - Page 2
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

My VPS has been compromised!

2»

Comments

  • goexodusgoexodus Member

    truly fascinating thread. so how exactly they hacked. Is that zpanel problem or apache?

  • MunMun Member

    doubt apache

  • joshuatlyjoshuatly Member

    What does L1/L2 Proxies means?

  • FritzFritz Veteran

    The question is, how did they have access to your box?
    Simple password or you did enable the root login.

  • joepie91joepie91 Member, Patron Provider

    @goexodus said: truly fascinating thread. so how exactly they hacked. Is that zpanel problem or apache?

    In this case it seems like Apache, but ZPanel has its own problems as well.

  • marcmmarcm Member

    @freek -> My VPS has been compromised! -> C'est la vie

    Honestly, I think it's just bad karma for using David Hasselhoff as your avatar.
    image

  • FreekFreek Member

    Alright guys, to clear some things up: My VPS was comprimised in a way that they were able to use it as a public proxy. They did not have SSH access nor root access. It seems that ZPanel installs/configures Apache with mod_proxy, but does not limit proxy requests to localhost. Therefore everyone was able to use mod_proxy using my VPS on port 80. That's all. No more, no less.

    @goexodus said: truly fascinating thread. so how exactly they hacked. Is that zpanel problem or apache?

    See above.

    @Fritz said: The question is, how did they have access to your box?

    See above.

    @marcm said: C'est la vie

    Honestly, I think it's just bad karma for using David Hasselhoff as your avatar.

    C'est la vie. Sucks being you I guess, since that's not my 'vie'.
    Don't hassle the Hoff!

    Once again thanks for the quick responses and support. The main problem now is moving forward/getting back online without hundreds of IPs hammering my box to use it as a proxy. If all else fails, I guess I have to ask for a new IP.
    What have we learned from this? If using ZPanel, check if mod_proxy is enabled, and if so, turn it off or limit it to localhost.
    http://www.oudmaijer.com/2010/12/20/apache-mod_proxy-abuse/

  • marcmmarcm Member

    @Freek said: C'est la vie. Sucks being you I guess, since that's not my 'vie'.

    @Freek - Just throwing a bit of humor into the mix.

    @Freek said: Don't hassle the Hoff!

    I would never dream of it!

  • tehdantehdan Member
    edited April 2013

    Have to ask - is this the same VPS you were slamming for poor performance in another thread?

  • FreekFreek Member

    @tehdan said: Have to ask - is this the same VPS you were slamming for poor performance in another thread?

    Nope. Not even close. Different country, different provider.

  • budingyunbudingyun Member
    edited April 2013

    Look like Prometeus IP to me.

  • LESLES Member

    @joshuatly said: What does L1/L2 Proxies means?

    1. Elite - High Anonymous - Level 1 (L1): the web server can't whether you are using a proxy by the information you browser sent.
    2. Anonymous - Level 2 (L2): the web server knows that you are probably using a proxy, but it can't detect your real IP.
    3. Transparent - Non Anonymous - Level3 (L3): the web server knows that you are using a proxy and it can also detect your real IP address.
  • bnmklbnmkl Member
    edited April 2013

    Why is David Hasselhoff so popular in Germany ?

    For instance, Germany seems to be the only country that likes his music. lol. Could his surname be a clue ?

    I just checked his Wiki page and found that :

    1. He has launched a MySpace-like social networking site, known as "HoffSpace".
    2. His ex-wife, who also played his wife in Knight Rider, remarried to a man named Michael Knight.

    Haha.

    image

  • dedicadosdedicados Member

    install a Firewall right now

  • FreekFreek Member

    @budingyun said: Look like Prometeus IP to me.

    Correct.

    @LES said: Elite - High Anonymous - Level 1 (L1): the web server can't whether you are using a proxy by the information you browser sent.

    Anonymous - Level 2 (L2): the web server knows that you are probably using a proxy, but it can't detect your real IP.

    lol, I certainly wasn't L1 nor L2. How much IPs do you want?

  • goexodusgoexodus Member
    edited April 2013

    @Freek said: I updated it the last time 2 weeks ago. I did not run Wordpress, this box was running a default installation of Ubuntu together with ZPanel.

    As @joepie91 had pointed many times Zpanel is a security disaster. If you still use it you must at least :

    1) Change postfix user password on PHPMyAdmin and then update following files.

    Believe it or not the password for postfix was postfix and it was hardcoded in all the following files which you have to change.

    /etc/zpanel/configs/postfix/mysql-relay_domains_maps.cf
    /etc/zpanel/configs/postfix/mysql-virtual_alias_maps.cf
    /etc/zpanel/configs/postfix/mysql-virtual_mailbox_limit_maps.cf
    /etc/zpanel/configs/postfix/mysql-virtual_mailbox_maps.cf
    /etc/zpanel/configs/postfix/vacation.pl
    /etc/zpanel/configs/postfix/vacation.conf
    /etc/zpanel/configs/postfix/mysql-virtual_domains_maps.cf
    /etc/zpanel/configs/dovecot2/dovecot-mysql.conf
    /etc/zpanel/configs/dovecot2/dovecot-dict-quota.conf
    /etc/zpanel/configs/dovecot2/dovecot-trash.conf
    /etc/zpanel/configs/dovecot2/dovecot.conf

    2) Add .htaccess and .htpasswd Authentication

    nano /etc/zpanel/panel/.htaccess

    AuthType Basic
    AuthName "Restricted Access"
    AuthUserFile /etc/zpanel/panel/.htpasswd
    Require user someusername

    generate the password to your username

    http://www.htaccesstools.com/htpasswd-generator/

    nano /etc/zpanel/panel/.htpasswd

    someusername:generated-password

    3) Change default paths and lockdown management IPs using .htaccess

    order deny,allow
    deny from all
    allow from 127.
    allow from xxx.

    4) Install CSF firewall

    5) Delete the file:
    /etc/zpanel/panel/modules/backupmgr/code/getdownload.php

    6) Move to webmin or any other panel as soon as possible

    My thanks to @joepie91

  • FreekFreek Member

    @goexodus said: Move to webmin or any other panel as soon as possible

    FYI I've stopped using ZPanel and moved to Webmin, as soon I've found out that this misconfiguration issue was caused due by ZPanel. So no worries ;)

  • natestammnatestamm Member

    @marcm said: David Hasselhoff as your avatar

    I just realized that never saw that picture and thought it was really some crazy guy n'named @Freek stuck in the 80s.
    Sorry about that @Freek
    I have laughed many times at your unknown expense, and that's in my head not even in an IRC. Wow.

  • DewlanceVPSDewlanceVPS Member, Patron Provider

    @jhadley said: /var/log/secure

    No, correct path is:

    /var/log/nolongersecure

  • DavidxDavidx Member

    @DewlanceVPS said: @jhadley said: /var/log/secure

    No, correct path is:

    /var/log/nolongersecure

    Shine some /var/log/autobootfailingmeuphere plox. #inb4itgetsold

  • FreekFreek Member

    @natestamm said: I have laughed many times at your unknown expense

    Erm, well you're welcome I guess ;)

Sign In or Register to comment.