{"id":393,"date":"2014-01-28T22:06:32","date_gmt":"2014-01-28T22:06:32","guid":{"rendered":"http:\/\/intovps.com\/blog\/?p=393"},"modified":"2014-04-11T08:32:31","modified_gmt":"2014-04-11T08:32:31","slug":"kloxo-zero-day-exploit","status":"publish","type":"post","link":"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/","title":{"rendered":"Kloxo zero-day exploit"},"content":{"rendered":"<p>Today we started to see our packet counter monitors triggering all over the place. At a closer look we&#8217;ve noticed a common pattern: scripts flooding from customers&#8217; virtual machines running Kloxo.<\/p>\n<p>A <strong>zero-day<\/strong> exploit has been identified in Kloxo control panel today. Here&#8217;s\u00a0<a href=\"http:\/\/www.webhostingtalk.com\/showthread.php?t=1344003\">a discussion related to this<\/a>.<\/p>\n<p>We decided a few hours ago to proactively fix this inside <strong>ALL\u00a0machines running Kloxo<\/strong>:<\/p>\n<ul>\n<li>identify offending script that was uploaded and <code>chmod 0<\/code> the directory<\/li>\n<li>stop the kloxo daemon<\/li>\n<li>email each and every (!) customer about this exploit and explaining the actions we took<\/li>\n<\/ul>\n<p>Ionut and Ovidiu have just completed these steps and we managed to stop this pest, <strong>for now<\/strong>.<\/p>\n<p>We don&#8217;t normally run commands inside customers&#8217; virtual machines, but we decided that it&#8217;s the best action we can take in the interest of everyone involved. And by everyone, I mean everyone: compromised machine&#8217;s owner, other IntoVPS customers, IntoVPS employees and stakeholders, internet community.<\/p>\n<p>Here&#8217;s the email we&#8217;ve sent:<\/p>\n<blockquote><p><b>Subject:<\/b>\u00a0IntoVPS &#8211; Kloxo installation compromised for server<\/p>\n<p>Hello,<\/p>\n<p>You are receiving this notification because you are running Kloxo panel management on your VPS named <strong>XXXXXXX<\/strong>.<\/p>\n<p>It seems that\u00a0Kloxo\u00a0installations are compromised with a randomly-named PHP file placed into \/home\/kloxo\/httpd\/default\/, which is the &#8216;default&#8217; site accessible by IP address and that\u00a0kloxo\u00a0appear to be spawning a large number of httpd processes. Further investigation shows they&#8217;re all sending out volumes of traffic as part of a ddos.<\/p>\n<p>Here is an example of a compromised file uploaded in \/home\/kloxo\/httpd\/default: http:\/\/disclosed.info\/?7c12a1a4560b7664#5fpnfdknf4EfBcGqLjeV9\/vAY1RXEKkLC3+fqm16c6E=<\/p>\n<p>At this moment there isn&#8217;t any fix published for Kloxo and as a workaround for this particular issue, we are going to change the permission of that folder to 0 with the following command:<\/p>\n<p>chmod 0 \/home\/kloxo\/httpd\/default\/<br \/>\nchmod 0 \/home\/admin\/*\/cgi-bin<\/p>\n<p>Also is it better for now to stop kloxo daemon until a proper fix is released.<\/p>\n<p>\/etc\/init.d\/kloxo stop<\/p>\n<p>We also noticed the same particular file being uploaded in the cgi-bin folders of the website managed by admin users. I strongly advice to check this as well and remove or change permission of those files that contains the same patern as soon as possible.<\/p>\n<p>If you have any questions, please let us know.<\/p>\n<p>Best regards,<br \/>\nIntoVPS Support<\/p>\n<p>&nbsp;<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":"<p>Today we started to see our packet counter monitors triggering all over the place. At a closer look we&#8217;ve noticed a common pattern: scripts flooding from customers&#8217; virtual machines running Kloxo. A zero-day exploit has been identified in Kloxo control panel today. Here&#8217;s\u00a0a discussion related to this. We decided a few hours ago to proactively [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-393","post","type-post","status-publish","format-standard","hentry","category-intovps"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v24.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Kloxo zero-day exploit &#187; IntoVPS Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kloxo zero-day exploit &#187; IntoVPS Blog\" \/>\n<meta property=\"og:description\" content=\"Today we started to see our packet counter monitors triggering all over the place. At a closer look we&#8217;ve noticed a common pattern: scripts flooding from customers&#8217; virtual machines running Kloxo. A zero-day exploit has been identified in Kloxo control panel today. Here&#8217;s\u00a0a discussion related to this. We decided a few hours ago to proactively [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/\" \/>\n<meta property=\"og:site_name\" content=\"IntoVPS Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/facebook.com\/intovps\" \/>\n<meta property=\"article:published_time\" content=\"2014-01-28T22:06:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2014-04-11T08:32:31+00:00\" \/>\n<meta name=\"author\" content=\"Adrian Andreias\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@intovps\" \/>\n<meta name=\"twitter:site\" content=\"@intovps\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Adrian Andreias\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/\"},\"author\":{\"name\":\"Adrian Andreias\",\"@id\":\"https:\/\/intovps.com\/blog\/#\/schema\/person\/d46c8f5d25b5a8b009c50c0c4f887460\"},\"headline\":\"Kloxo zero-day exploit\",\"datePublished\":\"2014-01-28T22:06:32+00:00\",\"dateModified\":\"2014-04-11T08:32:31+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/\"},\"wordCount\":399,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/intovps.com\/blog\/#organization\"},\"articleSection\":[\"IntoVPS\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/\",\"url\":\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/\",\"name\":\"Kloxo zero-day exploit &#187; IntoVPS Blog\",\"isPartOf\":{\"@id\":\"https:\/\/intovps.com\/blog\/#website\"},\"datePublished\":\"2014-01-28T22:06:32+00:00\",\"dateModified\":\"2014-04-11T08:32:31+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/intovps.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kloxo zero-day exploit\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/intovps.com\/blog\/#website\",\"url\":\"https:\/\/intovps.com\/blog\/\",\"name\":\"IntoVPS Blog\",\"description\":\"VPS Hosting\",\"publisher\":{\"@id\":\"https:\/\/intovps.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/intovps.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/intovps.com\/blog\/#organization\",\"name\":\"IntoVPS\",\"url\":\"https:\/\/intovps.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/intovps.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/intovps.com\/blog\/wp-content\/uploads\/2021\/04\/intovps-avatar.png\",\"contentUrl\":\"https:\/\/intovps.com\/blog\/wp-content\/uploads\/2021\/04\/intovps-avatar.png\",\"width\":1563,\"height\":1563,\"caption\":\"IntoVPS\"},\"image\":{\"@id\":\"https:\/\/intovps.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/facebook.com\/intovps\",\"https:\/\/x.com\/intovps\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/intovps.com\/blog\/#\/schema\/person\/d46c8f5d25b5a8b009c50c0c4f887460\",\"name\":\"Adrian Andreias\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/intovps.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f7a673269de3c425576541624530ca9c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f7a673269de3c425576541624530ca9c?s=96&d=mm&r=g\",\"caption\":\"Adrian Andreias\"},\"sameAs\":[\"https:\/\/www.intovps.com\"],\"url\":\"https:\/\/intovps.com\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Kloxo zero-day exploit &#187; IntoVPS Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/","og_locale":"en_US","og_type":"article","og_title":"Kloxo zero-day exploit &#187; IntoVPS Blog","og_description":"Today we started to see our packet counter monitors triggering all over the place. At a closer look we&#8217;ve noticed a common pattern: scripts flooding from customers&#8217; virtual machines running Kloxo. A zero-day exploit has been identified in Kloxo control panel today. Here&#8217;s\u00a0a discussion related to this. We decided a few hours ago to proactively [&hellip;]","og_url":"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/","og_site_name":"IntoVPS Blog","article_publisher":"https:\/\/facebook.com\/intovps","article_published_time":"2014-01-28T22:06:32+00:00","article_modified_time":"2014-04-11T08:32:31+00:00","author":"Adrian Andreias","twitter_card":"summary_large_image","twitter_creator":"@intovps","twitter_site":"@intovps","twitter_misc":{"Written by":"Adrian Andreias","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/#article","isPartOf":{"@id":"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/"},"author":{"name":"Adrian Andreias","@id":"https:\/\/intovps.com\/blog\/#\/schema\/person\/d46c8f5d25b5a8b009c50c0c4f887460"},"headline":"Kloxo zero-day exploit","datePublished":"2014-01-28T22:06:32+00:00","dateModified":"2014-04-11T08:32:31+00:00","mainEntityOfPage":{"@id":"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/"},"wordCount":399,"commentCount":0,"publisher":{"@id":"https:\/\/intovps.com\/blog\/#organization"},"articleSection":["IntoVPS"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/","url":"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/","name":"Kloxo zero-day exploit &#187; IntoVPS Blog","isPartOf":{"@id":"https:\/\/intovps.com\/blog\/#website"},"datePublished":"2014-01-28T22:06:32+00:00","dateModified":"2014-04-11T08:32:31+00:00","breadcrumb":{"@id":"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/intovps.com\/blog\/2014\/01\/28\/kloxo-zero-day-exploit\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/intovps.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Kloxo zero-day exploit"}]},{"@type":"WebSite","@id":"https:\/\/intovps.com\/blog\/#website","url":"https:\/\/intovps.com\/blog\/","name":"IntoVPS Blog","description":"VPS Hosting","publisher":{"@id":"https:\/\/intovps.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/intovps.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/intovps.com\/blog\/#organization","name":"IntoVPS","url":"https:\/\/intovps.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/intovps.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/intovps.com\/blog\/wp-content\/uploads\/2021\/04\/intovps-avatar.png","contentUrl":"https:\/\/intovps.com\/blog\/wp-content\/uploads\/2021\/04\/intovps-avatar.png","width":1563,"height":1563,"caption":"IntoVPS"},"image":{"@id":"https:\/\/intovps.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/facebook.com\/intovps","https:\/\/x.com\/intovps"]},{"@type":"Person","@id":"https:\/\/intovps.com\/blog\/#\/schema\/person\/d46c8f5d25b5a8b009c50c0c4f887460","name":"Adrian Andreias","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/intovps.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f7a673269de3c425576541624530ca9c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f7a673269de3c425576541624530ca9c?s=96&d=mm&r=g","caption":"Adrian Andreias"},"sameAs":["https:\/\/www.intovps.com"],"url":"https:\/\/intovps.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/intovps.com\/blog\/wp-json\/wp\/v2\/posts\/393","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/intovps.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/intovps.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/intovps.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/intovps.com\/blog\/wp-json\/wp\/v2\/comments?post=393"}],"version-history":[{"count":13,"href":"https:\/\/intovps.com\/blog\/wp-json\/wp\/v2\/posts\/393\/revisions"}],"predecessor-version":[{"id":406,"href":"https:\/\/intovps.com\/blog\/wp-json\/wp\/v2\/posts\/393\/revisions\/406"}],"wp:attachment":[{"href":"https:\/\/intovps.com\/blog\/wp-json\/wp\/v2\/media?parent=393"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/intovps.com\/blog\/wp-json\/wp\/v2\/categories?post=393"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/intovps.com\/blog\/wp-json\/wp\/v2\/tags?post=393"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}