User Registration
Customer Login

Knowledgebase

Portal Home > Knowledgebase > Articles Database > HyperVM/Kloxo notice


HyperVM/Kloxo notice




Posted by iWF-Jacob, 06-07-2009, 09:19 PM
Dear iWebFusion Technologies LLC customers, Please be aware that all HyperVM instances have been shut down on all nodes. We have caught a intrude breaking into a container on one of our VPSs with LXadmin/Kloxo on it, and are trying to determine the method, IP range, etc. of the attacker. As soon as we gather more information we will be sharing it with the WHT community (that which may be helpful)
Posted by Jacob Wall, 06-07-2009, 09:20 PM
Keep us up to date. ~Jacob
Posted by iWF-Jacob, 06-07-2009, 09:22 PM
The following files have been found which were uploaded to a Kloxo based VPS. reset-mysql-root-password.phps CVS install_common.php Last edited by iWF-Jacob; 06-07-2009 at 09:26 PM. Reason: EDIT: removed standard files
Posted by iWF-Jacob, 06-07-2009, 09:44 PM
The following I am not sure of... In /home/httpd of the VPS is the following files. nobody.sh and 123.cl.homepage.asp.php.97u.info which do not compare to our most recent backup. In nobody.sh I found the following, anyone know what this would do?
Posted by iWF-Jacob, 06-07-2009, 10:43 PM
Okay! We finally got the IPs that attacked our nodes/VPSs. I highly suggest that you ban the entire range... Good luck to you all! Last edited by iWF-Jacob; 06-07-2009 at 10:47 PM.
Posted by Jacob Wall, 06-07-2009, 10:45 PM
IP: 66.96.218.5 Host: datacenter1.propagandaideal.com There's another one.
Posted by iWF-Jacob, 06-07-2009, 10:47 PM
Thanks Jacob, Added that one to the list above
Posted by Jacob Wall, 06-07-2009, 10:49 PM
I've still got one more, I just have to find the log file. Will reply with it when I find it. This list will definitely be helpful for others.
Posted by DigitalLinx, 06-08-2009, 12:10 AM
reset-mysql-root-password.phps is part of hypervm, I can confirm this since I installed hypervm on a test box just now. install_common.php is not please post the content of those files. The posted shell/CGI script exports few enviroment variables and then executes lxsuexec along with any arguments passed to the script. This scripts appears to be part of lxadmin/kloxo again confirming this from a frash new installation on an offline server. Thank you.
Posted by iWF-Jacob, 06-08-2009, 12:12 AM
Hi there DigitalLinx, That would be my mistake then. I am not an expert on Kloxo, and was only going by what our backup from yesterday had, and what is there now... I will post the contents shortly.
Posted by Jacob Wall, 06-08-2009, 12:15 AM
Is it supposed to be .phps though? If I recall correctly when I reset the mysql root password a few months back on a HyperVM machine it was a .php
Posted by DigitalLinx, 06-08-2009, 12:15 AM
I highly recommend running tripwire for the time being. http://sourceforge.net/projects/tripwire/
Posted by iWF-Jacob, 06-08-2009, 12:19 AM
Thanks, We are currently running tripwire, which was what alerted us to the attacker gaining access to this VPS.
Posted by DigitalLinx, 06-08-2009, 12:19 AM
Yes pretty sure Fresh box, completely offline.
Posted by DigitalLinx, 06-08-2009, 12:21 AM
If indeed you were attacked please post more detailed information, where did you get those IPs from? Is there anything fishy in /usr/local/lxlabs/hypervm/log/shell_exec & /usr/local/lxlabs/hypervm/log/shell_error ?
Posted by iWF-Jacob, 06-08-2009, 12:30 AM
Here is the last information, which is related to the VPS from shell_exec PLEASE NOTE: I am VERY tired right now, so I am probably not seeing things that would simply jump out at me if I was actually revived and refreshed. So I do apologize ahead of time, in case I simply do not see something. As for the install_common.php it simply contains the following Last edited by iWF-Jacob; 06-08-2009 at 12:45 AM.
Posted by DigitalLinx, 06-08-2009, 12:37 AM
Nothing unusual in that log file, just a log of a VPS being created Check your activity log by issuing See if any funky IPs have logged in as admin, also note when you preform an action on a VM the hardware node's IP will be logged such as this I'm quite curious what made you think you were being attacked/compromised if you'd like I can help you with forensics. I am trying to get to the bottom of this as I can see there's a witch hunt against lxlabs however no proper proof has been disclosed that hypervm is still vulnerable despite their latest updates. EDIT: where is/was the location of install_common.php? I can not find it on my system, although it looks harmless. Thank you. Last edited by DigitalLinx; 06-08-2009 at 12:42 AM.
Posted by iWF-Jacob, 06-08-2009, 12:44 AM
We originally found out that someone/something was making unauthorized changes because of the following: A customer contacted us via live chat because unauthorized changes were being made to his website. The template he was using was the hostinabox template, meaning he was using Kloxo. The customer has a site which is targeted at people in spain, and when looking back at the access logs for his site a large amount of IPs were coming from China, which has never happened before. They were all going to the Kloxo login URL.
Posted by DigitalLinx, 06-08-2009, 12:50 AM
Well that can be explained quite easily, your client didn't update kloxo on time, or was compromised before lxlabs released the patches or quite simply he's running a dynamic website with remotely exploitable vulnerabilities. I am interested if hypervm was exploited remotely not an individual VPS, just making myself clear. Thank you.
Posted by iWF-Jacob, 06-08-2009, 12:56 AM
That could be quite possible, however there are a few things.. 1: Most importantly, I don't believe in coincidences. 2: Kloxo was updated
Posted by wormy, 06-08-2009, 04:49 AM
+1 on that. It's important to know if the hypervm wrapper framework itself has vulnerabilities which can be exploited remotely.
Posted by o-dog, 06-08-2009, 05:58 AM
I think there is a worldwide 0day ack of hypervm. I for one wont be using this software again.
Posted by DigitalLinx, 06-08-2009, 04:02 PM
Again that what most people think however we're looking for proper proof and evidence here in order to better understand and possibly patch the vulnerability. Security issues can arise in any software, although newer software is prone to vulnerabilities more.
Posted by 2009plus, 06-08-2009, 05:32 PM
I guess Jacob's talking about me here. If so: I was talking with him regarding the HyperVM security breaches, while I was trying to shut LxAdmin/Kloxo down, and as I was unable to do so (service "lxadmin" does not exist, it returned as error) I asked him why couldn't I turn the service down. As I was investigating this issue, I found out a ZIP at / containing the files Jacob outlined before in this thread, as well as a file from the LxAdmin PHP core (at least that's what it seemed to be) in the /home/admin/ directory. Both shouldn't be there. I immediately asked him to shut the VPS down so that the intruders no longer have access to it, and then Jacob found out the IPs listed above.
Posted by Daniel15, 06-08-2009, 09:42 PM
How ironic, they were talking about cPanel's "lack of security" a while back: and (talking about LxAdmin/Kloxo, emphasis by me, source: http://forum.lxlabs.com/index.php?t=msg&goto=51197&)
Posted by budman714, 06-08-2009, 11:18 PM
We are showing sql attacks via our network ids. I have not personally looked into this yet, but could it not by a hypervm exploit? Details for attack MS-SQL: Resolution Service Buffer Overflow (General) All Subnets (Inbound) for the last 1440 minutes Begin Time End Time Attack Count Source IP Address Source Port Destination IP Address Destination Port 2009-06-08 18:01:10 2009-06-08 18:06:16 1 59.80.95.35 4333 174.36.110.220 1434 1 MS-SQL: Resolution Service Buffer Overflow (General) Vulnerability: Buffer/Heap Overflow ms-sql Windows Server Application or Service 5311 CVE-2002-0649 Critical Block
Posted by iWF-Jacob, 06-08-2009, 11:18 PM
Well, Looks like LXlabs has come to an end... Any suggestions for what next? Know if anyone will continue working on the problem? http://timesofindia.indiatimes.com/B...ow/4633101.cms
Posted by mulligan23, 06-08-2009, 11:45 PM
@iWF-Jacob Wow, this is like a horror movie gone bad.
Posted by o-dog, 06-09-2009, 02:53 AM
The arrogance is absolutely astounding
Posted by Daniel15, 06-09-2009, 03:10 AM
Wow, I didn't expect that R.I.P. Ligesh
Posted by DigitalLinx, 06-09-2009, 03:29 AM
What you have posted is a buffer overflow vulnerability is MSSQL which is completely unrelated.


Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read
Mysql optimization on 2GB VPS (Views: 619)
Test Files (Views: 628)
Highwinds or MaxCDN (Views: 698)
Easynet are down... (Views: 661)
dotCanada.com buys AffordableHost [merged thread] (Views: 635)

Language:

Our Services

Client Menu

Legal

+1 512-782-9732

Find any answers
you need...



  • PCI Secure
  • Verefied by VISA
  • MasterCard SecureCode

    • Terms of Service | Privacy Policy | FAQs | Affiliates | Email
    Copyright © 2015 BraginHos / CHS Gateway inc. - All Rights Reserved.
    Our address: CHS GATEWAY INC c/o Regus Offices, 2598 E. Sunrise Blvd Ste 2104, Fort Lauderdale, Florida 33304, contact phone number: (+1) 512-782-9732, email: support@chsgatewayinc.com