Hello Jose We have been using and testing aaPanel for a few months now, so far there have been no complaints, but now there is a serious problem that is caused by an extremely large number of attacks from the network and IP inventory baidu.com and so on is in turn connected to BaoTa which is a fork of BaoTa. This post is about tracking aaPanel https://www.aapanel.com/forum/d/1504-about-the-tracking-code-of-the-aapanel-installation-script/6 So please openly and transparently these tracking codes are used to attack web servers. There is no other way to explain it, 90% of the IPs that attack our systems are from this network and all of our customers are currently experiencing the same problems! So please comment on this

This news is very dangerous for us

[unknown] baidu and bt.cn both are chinese!!!

lol... share more details about the attack (port, dest, layer, examples?). how are you relating these ip's with baota/aapanel? where are the proofs of what you're saying?

We use various tools and we have a firewall from its log, we can see where the attacks come from, plus some other network monitoring tools and you can use this to determine where and from which network the IPs come. https://www.ultratools.com/tools/ipWhoisLookup but we still have many far-reaching options that I do not want to explain further here (company secrets). Source: whois.apnic.netIP Address: 106.12.215.244 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '106.12.0.0 - 106.13.255.255' % Abuse contact for '106.12.0.0 - 106.13.255.255' is ' ipas@cnnic.cn ' inetnum: 106.12.0.0 - 106.13.255.255 netname: Baidu descr: Beijing Baidu Netcom Science and Technology Co., Ltd. descr: Baidu Plaza, No.10, Shangdi 10th street, descr: Haidian District Beijing, 100080 admin-c: SD753-AP tech-c: SD753-AP country: CN mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN mnt-routes: MAINT-CNNIC-AP status: ALLOCATED PORTABLE last-modified: 2015-01-28T09: 58: 01Z source: APNIC irt: IRT-CNNIC-CN address: Beijing, China e-mail: ipas@cnnic.cn abuse-mailbox: ipas@cnnic.cn admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP last-modified: 2017-11-01T08: 57: 39Z source: APNIC person: Supeng Deng nic-hdl: SD753-AP address: No.6 2nd North Street Haidian District Beijing country: CN phone: + 86-10-58003402 fax-no: + 86-10-58003402 e-mail: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2016-11-01T08: 04: 01Z source: APNIC % Information related to '106.12.192.0/18AS38365' route: 106.12.192.0/18 descr: Baidu country: CN origin: AS38365 notify: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2017-12-21T08: 06: 02Z source: APNIC % Information related to '106.12.192.0/18AS55967' route: 106.12.192.0/18 descr: Baidu country: CN origin: AS55967 notify: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2017-12-21T08: 06: 02Z source: APNIC % This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US4) almost all attacks come from the network from 106.12.0.0 - 106.13.255.255 and a few more of which we trace up to netname: Baidu descr: Beijing Baidu Netcom Science and Technology Co., Ltd. descr: Baidu Plaza, No.10, Shangdi 10th street, descr: Haidian District Beijing, 100080 could trace back, using vpn / proxyserver.

this is just a small excerpt, we can count thousands of attacks from this and last month. almost all of them went from the IP range 106.12.0.0 to 106.12.255.255 from the area of Haidian District Beijing, 100080 2020-06-14 23:48:02 94.102.56.151 Received / blocked user_agent 2020-06-14 23:47:58 94.102.56.151 Received / blocked user_agent 2020-06-14 20:44:14 174.86.121.243 Get /configuration.php.swp Blocked 2020-06-14 20:44:07 84.138.42.168 received /configuration.php blocked url 2020-06-14 20:43:57 19.153.97.227 Obtained /configuration.php.bak Blocked 2020-06-14 20:43:54 108.208.61.1 Get /configuration.php.old Blocked

block this IP class + use Fail2Ban for all services + use CloudFlare to proxy all websites on server

KrzysztofMaciejewski it's about aaPanel being used to hack servers, I can't tell my customers what and who to block, I recommend it to everyone. Do you have any other questions from Germany? Hesse?

i dont see any proof - its normal attack from "friendly" country could happen to anyone

Hello CQT We have no collecting other information other than collecting the installation information stated in the above post. Do you see any attacks against the panel? If it is, I think it is just a normal scanner scan

so because is a chinese ip you think is aapanel the source? .... ok XD anyway i still don't see any proof

Hacking attacks with and through aaPanel

gacott

aaPanel_Jose What are we still getting from *.bt.cn? There is no way to move that stuff off of them and onto somewhere else?

aaPanel_Jose

gacott
The domain name of our software download node is download.bt.cn, and there are other nodes in

/www/server/panel/data/node.json

CQT

aaPanel_Jose the api to the node is a problem, as long as you cannot pull the download without the api, you are dependent on the node and as long as the ips can be tracked.

the user who creates here via the db: INSERT INTO users (id, username,password, login_ip,login_time, phone,email) VALUES
(1, 'admin', '21232f297a57a5a743894a0e4a801fc3', '192.168.0.10', '2016-12-10 15:12:56', 0, '287962566@qq.com');

Many of the attacks come from the same, namely from Guangdong Communication Co.Ltd. ASN 9808

All attacks are conducted via our own proxy servers or others, but ultimately from the regions of BT.CN and Shenzhen Tencent Computer Systems Company Limited ASN 45090

backlinks like libList.conf :: "help": "http://www.bt.cn/bbs",
it is very helpful to prepare such attacks, because they alone provide enough information about which ip the panel is installed on.

CQT

aaPanel_Jose hello two minutes after the installation the attacks started, not with the ips from node.json, but from the same network operator. We left out the proxy and firewall to see if anything changes and nothing changes. So we can assume that the download requests at the node will be used to track and record the IPS. you have to make sure that the node from bt.cn can no longer be used, we are already trying to load the stuff from the node, but are currently facing problems with it, we had to host the whole thing ourselves, so one clean installation would be possible! So everything that is necessary from the node must be cleaned on another server and first. otherwise aaPanel cannot become what you / your want to achieve. It would also be an absolute risk since all server clients would be contaminated by customers.

gacott

CQT Great info, this is what I was getting at and thought something like this was going on. IMO, if we (as a community) want to see this become a successful panel, we need to disengage this from bt. Also, yeah I think this very well may be how they are getting in.

CQT the user who creates here via the db: INSERT INTO users (id, username,password, login_ip,login_time, phone,email) VALUES
(1, 'admin', '21232f297a57a5a743894a0e4a801fc3', '192.168.0.10', '2016-12-10 15:12:56', 0, '[287962566@qq.com](mailto:287962566@qq.com)');

aapanel_user

gacott you can fork the panel and do whatever you want. What's the problem?

waikey

still waiting for response! I have use aapanel on several VPS and everything is OK! Aso I use the Chinese Version BT Panel. ..

Baidu is NO1 SE company in China so I think someone is using their IP as bridge to attacke

or maybe it's Baidu's spider ? try to ban the Baidu's spider in the robots.txt

gacott

waikey It would be a SUPER aggressive spider. Blocking in robots.txt will do nothing, these are attacks on ports.

CQT

waikey We don't want to come to China and data protection now, it doesn't matter which company comes from. China has never been a country that values data protection. That's why I don't put everyone under general suspicion, but I trust state-owned companies like my ex-wife. Not directly related to aaPanel, but to NO1 SE. Everyone knows that everything and that is spied on and I also know a little bit about the politics of China. According to this sentence, I would be a dead man in China.

TheWormsUnited

CQT you clearly dont know what you are talking about. I lived and visit China several times per year so your affirmations are not accurate at all. I am sorry thats not correct.

China offers several business and services, we cannot state and talk about politics on a webhosting control panel forum, makes no sense at all. Let's keep it to the topic.

gacott

aapanel_user WTF are you talking about? I'm trying to help make a better panel, HERE! Why are you talking about forking it? Is there something wrong about contributing to this project? Do I have to fork and start my own to contribute?

CQT

TheWormsUnited you're right politics has no business here. I will hold back in this regard in the future.
We all want the same thing, that aaPanel gets better and spreads more

aaPanel_Jose

Currently aaPanel is gradually getting rid of its dependence on bt.cn, but it will take time

KrzysztofMaciejewski

aaPanel_Jose i like this

CQT

aaPanel_Jose Glad to hear that we are currently merging the firewall and Fail2ban so that there is only one tab left.

angelboy

With good reason I also have attack problems in some VPS, I suspected it and changed the panel, How good that they separate from bt.cn.

cib3r

Dear all . I am a new user to private VPS and found aaPanel to install. I came across this thread by CQT who posts some very valid points. Now I am happy with the service of aaPanel. BUT.... I had to block the whole of China IP due to massive attacks on ssh port 22 ( f2ban was reporting 50,000+ attempts in 48hrs)

Basically has the link to a new install of aaPanel opening up your server IP address being 'smeared' hence attacked been proved or not?

Do I just accept this is the 'game' of server admin ... this is a 2nd hand IP address and is now exposed anyway.

CQT / gacott did u continue with aaPanel ?

deewinc

cib3r BUT.... I had to block the whole of China IP due to massive attacks on ssh port 22 ( f2ban was reporting 50,000+ attempts in 48hrs)

I don't think this is a problem of aaPanel or because aaPanel is made in China. I have CyberPanel and attacks coming from China are usually massive. Change the SSH port to something else. This helped to block out the server-side attacks to zero.

CyberPanel also supports CSF and that's so robust and keeps website safe.

swsemnto

@cib3r can you tell us what setting you put on your f2ban?

thank you

adk

CQT
106.12.0.0 - 106.13.255.255 this seems to be China's search engine Baidu crawler robot.

swsemnto

my fail2ban log
anti-cc
screenshot1
ssh
screenshot2

« Previous Page Next Page »