1

I have this VPS Ubuntu v12.04 Server running with DigitalOcean.
Zpanel/Apache/PHP stack was installed on the Server.

For the past few days it was occasionally down.
Initially, I didn't know what happen until I saw the network graph.

Peaks

There are outbound peaks of ard more than 1Gbps at the time of server down.
Here was the netstat's result at the time:

tcp        0      0 localhost:50725      localhost:https      TIME_WAIT  
tcp        0      0 my.public.ip:http    someip:51369         FIN_WAIT2  
tcp        0      0 my.public.ip:http    someip:54377         FIN_WAIT2  
tcp        0      0 my.public.ip:45655   69.xxx.xx.xxx:9001   ESTABLISHED  
tcp        0      0 my.public.ip:http    someip:31125         FIN_WAIT2

The line with 69.xxx.xx.xxx was particularly suspicious.
Currently my quick fix is to use ufw to disable all outgoing traffic and block all connection from 69.xxx.xx.xxx.
But I'm still not sure of the point of entry. How do I fill the hole that left my server vulnerable.

Any advice would be appreciated. I have read suggestions of just wiping the entire server and reinstalling. In my case, this is not really an option.

Could the attacker exploit a vulnerability in our website's PHP to gain an access?

Update
So I have found out the way he got in. Some how using FTP he created a file xxx.php in one of the /etc/zpanel/lib folder which read system($_REQUEST["xxx"])

The zpanel default settings leave permission of /etc/zpanel as 0777 and I'm not sure if it will work setting it otherwise.
Really a big security hole...

Anyone here using zpanel?
I need to know what the correct secured settings are since they totally closed their old forum. There is limited access to support questions through Google Cached!

Do you have any idea how did they gained access, and could this really cause the huge outbound traffic. The owner of the malicious file is www-data which is the user for Apache.

rav_kr
  • 119
  • 4
Nathan Do
  • 113
  • 5
  • Hey Xander, I will read that but every case can be a bit different. So I think this should still be here. – Nathan Do Oct 02 '14 at 07:44
  • Hi, I have added an update. If you have further advise, please feel free to add in. – Nathan Do Oct 02 '14 at 07:51
  • 1
    What is it that you asking? You've found the vulnerability – Ulkoma Oct 02 '14 at 08:06
  • Hi ULkoma, I wanna be certain whether this could actually cause the traffic outbound or it was sth else. If not this is just a small part of the problems. Updated with more questions – Nathan Do Oct 02 '14 at 08:46
  • You might have a bug in your PHP site that allows for file creation? If your zpanel is dead, then it is also not being updated/patched? I'd replace zpanel ASAP, but you seem to know that. I'm not sure what you're asking here. – schroeder Oct 02 '14 at 14:56

0 Answers0