Portal Home > Knowledgebase > Articles Database > Kloxo VPS issue
Kloxo VPS issue
|Posted by Lost Eagle, 03-19-2014, 08:37 AM
I followed these steps to secure the Kloxo VPS, but not its locked .,. I can't SSH
|Posted by Lost Eagle, 03-19-2014, 08:42 AM
From the Serial Console, the rules blocked the SSH port
|Posted by Steven, 03-19-2014, 09:51 AM
|You can't secure kloxo. The panel itself is full of security holes.
|Posted by ajonate, 03-20-2014, 04:39 PM
|With all of the security updates released over the past month or so, I'm not sure that's a fair statement. As you can see, 6.1.13 through 6.1.18 have been released over the past month.
|Posted by Steven, 03-20-2014, 04:40 PM
|I am well aware of the updates, and my statement still stands true..
There is another thread where I pointed out a variety of security issues and many of them either still work or work with modifications.
|Posted by nessa, 03-20-2014, 04:54 PM
|Yea. Until Steven finds more. Then we get to laugh again.
|Posted by Patrick, 03-20-2014, 05:03 PM
|We spent minutes on Kloxo... literally minutes.
The entire project is stupid and it should have died off long ago, sorry to say. The GUI is garbage. The code is garbage. I promise you, if we spent an actual measurable amount of time trying to find flaws in the project... it would be a field day.
People need to stop recommending crap.
|Posted by Steven, 03-20-2014, 05:15 PM
|So you intrigued me to reinstall it, so I reinstalled, and within 5 minutes I had a new exploit.
1.) Setup php script to run a for loop (ssh is NOT required).
2.) go into client panel, add new domain with the document root pwnt
3.) /etc/passwd changed to your user name:
4.) you can now modify /etc/passwd and give your self uid 0 --- effectively giving your self root access
The reason this happens is they do this:
Since its doing a recursive chown, the symlink which is placed into /home/bob.com/pwnt gets chownd to the user bob.com
So I repeat, kloxo is not secure and you cannot secure it.
These kinds of exploits are all over this panel, 50% of the features potentially are vulnerable to this simple attack. Not even including any other attacks such as code execution.
Last edited by Steven; 03-20-2014 at 05:24 PM.
|Posted by Steven, 03-20-2014, 05:34 PM
|Actually, lets make it even easier:
In the document root box, will create the /tmp/hax file as root
So really, you can run any command you want, it doesn't matter.
Please don't use this junk, it will never be secure.
|Posted by Lx_Danny, 03-21-2014, 06:45 PM
|Dear Steven, Patrick and others.
Be kind to report all the bugs you find instead making the software black. The time you spend on this, installing Kloxo, writing forum posts etc etc, you could send us a report and/or a fix and we might within that time release a new version too.
So report or fix (code is at github so you can contribute) instead crying and yelling that Kloxo is bad. YOU make it bad. Do YOU realize that?
Thank you for your cooperation. I think you may spend your time better in helping to fix or report the bugs then crying and yelling arround.
Every person that wants to help, not only with securty bugs, and have some intrest in developing a kick ass free opensource web hosting panel, are all welcome to develop.
Maybe we can laugh all about it over 15 years when the products is most used software worldwide Though I can say, according the statistics, its worldwide used, every day a lot new installations, and not only one day fly's.
So, I am happy to see your reports, proposed fixes or even pull requests at github soon I already thank you all for sending them in. Lets role...
|Posted by nessa, 03-21-2014, 09:03 PM
|You have got to be kidding me.
It's not their job to fix Kloxo's junky code. Your company is the reason Kloxo is bad. You can probably thank Steve and Patrick for all the rootings that didn't happen, due to all of their hard work in trying to keep this industry secure. Do your research bro, and stop defending your sh***y software when it's obvious you guys have no idea what you're doing.
|Posted by Steven, 03-22-2014, 12:28 AM
|Not entirely sure why I have to do anything at all? This entire panel is riddled with bugs. Maybe the developers of this product should spend some time actually looking at the code instead of telling me what I should do. Until you guys actually make an attempt at fixing this backdoor you call a control panel, I am going to persuade people to stop using it.
Sorry bro, but I don't make bad code bad, the developers of this product make bad code bad.
Last edited by Steven; 03-22-2014 at 12:31 AM.
|Posted by kpmedia, 03-22-2014, 12:51 AM
Better free panels = Virtualmin GPL, ISPConfig
Better paid panels = cPanel
These is zero reason to use Kloxo in 2014. It's beyond terrible, and is filled with bugs that both affect stability and security. These are NOT nitpicks either, but serious bugs that make it a dangerous panel to use.
|Posted by nessa, 03-22-2014, 12:57 AM
|I wish there were enough hours left in the human lifespan to list out all the software that is better than Kloxo.
|Posted by Steven, 03-22-2014, 01:14 AM
Mysql restore database function runs as root which means:
Inside the database backup runs the command as root.
|Posted by Lx_Danny, 03-22-2014, 05:59 AM
|Thanks Steven for pointing to some of the problems.
The background is simple, Lxcenter is not a company. We saved the products from dying years ago when the CEO at Lxlabs hung himself. The community itself voted for a Consortium and we got a bad shape backup of the sources. Then we and the family of LxLabs decided to make the software opensource.
There is no company since then. Tho I am the only one left from the Consortium. I keep running the servers and do some easy developing because I am not a pro. Through the years, developers comes and go. At some point we had a development manager but left. Still there are just 2/3 people that doing some development.
We can just not pull the plug, too many installations and the community itself does not want that too. So we do our best to keep it running.
We just need security reports and people that wants to help fix that. The 2/3 developers now are just having fun with the products and dedicate their free time to LxCenter.
I had my own company in the past with HyperVM. I had cPanel, DirectAdmin and Plesk (windows) running for clients. Tho before I could migrate to Kloxo, the financial crisis had his thing in my client database. A lot clients just stopped. And with the commercial panels, I had to pay too much for Licenses.At some point more money has to be paid then making money. So I did shut down my company. What I want to say with this, I am not a user anymore but still like the software much.
Kloxo is nice software. A good competitor to all the other panels out there. It just needs developers, testers and security reports.
So all readers out there, you are all welcome to help.
I realy would be happy if people send in security reports before they made it public. Now because you, Steven, showed some ways in this thread makes you a bad person that makes the software bad. Thats is what I meant above.
Now you have triggered again a away for hackers etc to do things. Keep the reports private please. And as usual if a company/project not responding/fixing the detected bugs then you may post it public. Thats the way to handle it right.
So if lets say a lot hosting company's are hacked by your posted findings, then its your fault. Not ours
P.s you can remove your zeroday Kloxo report from your website as that one is actualy fixed.
|Posted by Steven, 03-22-2014, 11:22 AM
What kloxo is, is a piece of crap and until its either off the internet or someone takes serious effort into making it secure I am going to troll it. Sorry but I want a safe hosting industry and I am not going to let this slide under the radar.
Until kloxo does not run everything as root it will never be secure end of story. So why don't you start working on that so I can shut up rather than telling me what to do.
People are using kloxo without any clue how much at risk the at are. People are hosting customers on kloxo and any of those customers can reset the root password within minutes and then logging in and destroying the server..
That kills the server owners livelihood.
You are enabling people to be insecure, and that is disgusting to me.
If I have to, I will make an entire website dedicated to how much kloxo sucks.
Regarding the zero day report.. It will not be removed. THOUSANDS of kloxo installations were compromised and used to attack bank of america's network. Hundreds of vps nodes crashed due to these attacks..
Hell even metasploit released a module:
Don't care, I warned you there was issues in this thread and other threads and you didn't do anything proactive about it. You are supporting a software that is basically swiss cheese!
Its not like this is hard, its only a matter of time before an attacker finds something and starts using it privately and people start wondering 'how' they got hacked.
|Posted by Lx_Danny, 03-22-2014, 12:20 PM
|Well I troll back
Your website does have old information.
The metasploit does have old information.
It is fixed. The SQL injection is not possible anymore.
It seems you know the code better then we do. So again, reports, reports reports.
You want a safe hosting industry? then ****ing help or shut up. Yep i troll back
Please make a dedicated website. Put all your findings there. No problem with that. Thats what we need right. Then things can be fixed
Still we are now busy talking for a day and, you could send in a report of your current findings. I bet you are still hunting your Kloxo installation. You are a happy Kloxo user because you are happy to hunt bugs and to troll
The next Kloxo version is going to be released in an hour orso. The docroot input is fixed (a quick and dirty one until figured out the complete sanitizing, i am not a pro so can take weeks or months to figure that out. You could help us rater then trolling...).
All the exploits ever published are in fact, fixed. So every Kloxo exploit is old news.
Yet there are much undiscovered bugs yes. Thats why we need reports and developers that knows the ins and outs.
So again, and again... reports.
Next time a big attack or hack is done I blame you until you help
|Posted by Steven, 03-22-2014, 01:10 PM
|Blame me all you want, you are supporting a piece of ****. It is YOU who is not proactively trying to fix the code. I have pointed out several times there is issues and alll you are doing is sitting back expecting someone to do your job for you. If you don't want to proactively try and fix the code then you may as well just leave the project.
For what its worth, I don't need to hunt my kloxo install any longer, I have a list of 9 new exploits that I am just going to hold on to, until the next time I see kloxo recommended.
The post on our website was posted before you released a patch, so therefore it is not old news.
I will never help you with your code, because honestly kloxo is such a piece of crap that I would never allow my customers to use it. As far as I am concerned, no one should be using this product if they care about not getting hacked. I haven't even audited the source code, everything I have found was just playing with the user panel.
Enjoy your backdoor you call Kloxo, and thank you for letting down all of your users who are potentially vulnerable due to your lack of proactively fixing issues.
All you do is fix what is reported, instead you could find these issues your self. Its not hard. Grow up, instead of passing the blame.
Last edited by Steven; 03-22-2014 at 01:23 PM.
|Posted by kpmedia, 03-22-2014, 02:56 PM
|Even with my limited experience in some areas, I was able to find serious Kloxo bugs and exploits in the past. It's really a fubar piece of crap. I've been warning other of it for almost 2 years now.
It's not secure, outdated as can be feature-wise, and not very user friendly at all.
It needs to just die and go away now.
(I could say the same for DirectAdmin to be honest, as far as features/friendliness goes. ZPanel is a piece of insecure feature-less crap as well.)
Some of us are not hosts on WHT, but have experience in related areas, and want to help (or warn!) others. I very much enjoy reading Steven's posts, and am glad to have found him on WHT years ago. Neither he nor I nor others will spend our time to fix your crap. Either fix it yourself, or close the project, as it does a great disservice to newbies that don't know any better, and are hacked because of it.
|Posted by Patrick, 03-22-2014, 09:08 PM
The software is garbage and I mean no disrespect to anyone who is trying to make it better. It was garbage from day one and the current owners or whomever is managing the product... took on that massive cluster f*ck and has been stringing it along since.
My advice: Start over with a fresh code base.
I'm sure people would love us (RACK911) to do a free audit of the product like we do with so many... but we look at how common it is and whether or not there's hope for the product in the long term. There's no hope for Kloxo so we would just be wasting our time, sorry to say.
|Posted by PLE, 03-23-2014, 04:40 AM
|Well, I did and many of my reports has been either ignored or closed.
For example, the exploit from the metaspolit website was reported back in October 2012. Information about it was posted on your forum and even on your developer mailinglist. I have provided Will/Shazar (one of your developers) full logs of this attack. It was fixed 15 months later in Kloxo 6.1.13.
Kloxo has also some annoyances, such as it breaks older pre-UTF8 websites: http://project.lxcenter.org/issues/944. One issue that was never fixed because Kloxo "is a international project" . You guys should really read the Apache documentation.
|Posted by Steven, 03-23-2014, 09:54 AM
|They are pathetic.
|Posted by Steven, 03-23-2014, 10:13 AM
|Yo Lx_Danny, nice attempt at correcting that security hole
Add to Favourites Print this Article