Hello Jose We have been using and testing aaPanel for a few months now, so far there have been no complaints, but now there is a serious problem that is caused by an extremely large number of attacks from the network and IP inventory baidu.com and so on is in turn connected to BaoTa which is a fork of BaoTa. This post is about tracking aaPanel https://www.aapanel.com/forum/d/1504-about-the-tracking-code-of-the-aapanel-installation-script/6 So please openly and transparently these tracking codes are used to attack web servers. There is no other way to explain it, 90% of the IPs that attack our systems are from this network and all of our customers are currently experiencing the same problems! So please comment on this

This news is very dangerous for us

[unknown] baidu and bt.cn both are chinese!!!

lol... share more details about the attack (port, dest, layer, examples?). how are you relating these ip's with baota/aapanel? where are the proofs of what you're saying?

We use various tools and we have a firewall from its log, we can see where the attacks come from, plus some other network monitoring tools and you can use this to determine where and from which network the IPs come. https://www.ultratools.com/tools/ipWhoisLookup but we still have many far-reaching options that I do not want to explain further here (company secrets). Source: whois.apnic.netIP Address: 106.12.215.244 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '106.12.0.0 - 106.13.255.255' % Abuse contact for '106.12.0.0 - 106.13.255.255' is ' ipas@cnnic.cn ' inetnum: 106.12.0.0 - 106.13.255.255 netname: Baidu descr: Beijing Baidu Netcom Science and Technology Co., Ltd. descr: Baidu Plaza, No.10, Shangdi 10th street, descr: Haidian District Beijing, 100080 admin-c: SD753-AP tech-c: SD753-AP country: CN mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN mnt-routes: MAINT-CNNIC-AP status: ALLOCATED PORTABLE last-modified: 2015-01-28T09: 58: 01Z source: APNIC irt: IRT-CNNIC-CN address: Beijing, China e-mail: ipas@cnnic.cn abuse-mailbox: ipas@cnnic.cn admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP last-modified: 2017-11-01T08: 57: 39Z source: APNIC person: Supeng Deng nic-hdl: SD753-AP address: No.6 2nd North Street Haidian District Beijing country: CN phone: + 86-10-58003402 fax-no: + 86-10-58003402 e-mail: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2016-11-01T08: 04: 01Z source: APNIC % Information related to '106.12.192.0/18AS38365' route: 106.12.192.0/18 descr: Baidu country: CN origin: AS38365 notify: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2017-12-21T08: 06: 02Z source: APNIC % Information related to '106.12.192.0/18AS55967' route: 106.12.192.0/18 descr: Baidu country: CN origin: AS55967 notify: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2017-12-21T08: 06: 02Z source: APNIC % This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US4) almost all attacks come from the network from 106.12.0.0 - 106.13.255.255 and a few more of which we trace up to netname: Baidu descr: Beijing Baidu Netcom Science and Technology Co., Ltd. descr: Baidu Plaza, No.10, Shangdi 10th street, descr: Haidian District Beijing, 100080 could trace back, using vpn / proxyserver.

this is just a small excerpt, we can count thousands of attacks from this and last month. almost all of them went from the IP range 106.12.0.0 to 106.12.255.255 from the area of Haidian District Beijing, 100080 2020-06-14 23:48:02 94.102.56.151 Received / blocked user_agent 2020-06-14 23:47:58 94.102.56.151 Received / blocked user_agent 2020-06-14 20:44:14 174.86.121.243 Get /configuration.php.swp Blocked 2020-06-14 20:44:07 84.138.42.168 received /configuration.php blocked url 2020-06-14 20:43:57 19.153.97.227 Obtained /configuration.php.bak Blocked 2020-06-14 20:43:54 108.208.61.1 Get /configuration.php.old Blocked

block this IP class + use Fail2Ban for all services + use CloudFlare to proxy all websites on server

KrzysztofMaciejewski it's about aaPanel being used to hack servers, I can't tell my customers what and who to block, I recommend it to everyone. Do you have any other questions from Germany? Hesse?

i dont see any proof - its normal attack from "friendly" country could happen to anyone

Hello CQT We have no collecting other information other than collecting the installation information stated in the above post. Do you see any attacks against the panel? If it is, I think it is just a normal scanner scan

so because is a chinese ip you think is aapanel the source? .... ok XD anyway i still don't see any proof

Hacking attacks with and through aaPanel

gacott

waikey It would be a SUPER aggressive spider. Blocking in robots.txt will do nothing, these are attacks on ports.

CQT

waikey We don't want to come to China and data protection now, it doesn't matter which company comes from. China has never been a country that values data protection. That's why I don't put everyone under general suspicion, but I trust state-owned companies like my ex-wife. Not directly related to aaPanel, but to NO1 SE. Everyone knows that everything and that is spied on and I also know a little bit about the politics of China. According to this sentence, I would be a dead man in China.

TheWormsUnited

CQT you clearly dont know what you are talking about. I lived and visit China several times per year so your affirmations are not accurate at all. I am sorry thats not correct.

China offers several business and services, we cannot state and talk about politics on a webhosting control panel forum, makes no sense at all. Let's keep it to the topic.

aapanel_user

gacott you can fork the panel and do whatever you want. What's the problem?

gacott

aapanel_user WTF are you talking about? I'm trying to help make a better panel, HERE! Why are you talking about forking it? Is there something wrong about contributing to this project? Do I have to fork and start my own to contribute?

CQT

TheWormsUnited you're right politics has no business here. I will hold back in this regard in the future.
We all want the same thing, that aaPanel gets better and spreads more

aaPanel_Jose

Currently aaPanel is gradually getting rid of its dependence on bt.cn, but it will take time

KrzysztofMaciejewski

aaPanel_Jose i like this

CQT

aaPanel_Jose Glad to hear that we are currently merging the firewall and Fail2ban so that there is only one tab left.

angelboy

With good reason I also have attack problems in some VPS, I suspected it and changed the panel, How good that they separate from bt.cn.

cib3r

Dear all . I am a new user to private VPS and found aaPanel to install. I came across this thread by CQT who posts some very valid points. Now I am happy with the service of aaPanel. BUT.... I had to block the whole of China IP due to massive attacks on ssh port 22 ( f2ban was reporting 50,000+ attempts in 48hrs)

Basically has the link to a new install of aaPanel opening up your server IP address being 'smeared' hence attacked been proved or not?

Do I just accept this is the 'game' of server admin ... this is a 2nd hand IP address and is now exposed anyway.

CQT / gacott did u continue with aaPanel ?

deewinc

cib3r BUT.... I had to block the whole of China IP due to massive attacks on ssh port 22 ( f2ban was reporting 50,000+ attempts in 48hrs)

I don't think this is a problem of aaPanel or because aaPanel is made in China. I have CyberPanel and attacks coming from China are usually massive. Change the SSH port to something else. This helped to block out the server-side attacks to zero.

CyberPanel also supports CSF and that's so robust and keeps website safe.

swsemnto

@cib3r can you tell us what setting you put on your f2ban?

thank you

adk

CQT
106.12.0.0 - 106.13.255.255 this seems to be China's search engine Baidu crawler robot.

swsemnto

my fail2ban log
anti-cc
screenshot1
ssh
screenshot2

Vereato

Yes my aapanel username and password was changed
and the web scripts i have hosted was stolen from my ubuntu
and i remote the connections where came from and from china

same network as aapanel

wireshark is the best network app for track any hacking

aapanel its free open source what do you expect about this nothing in this world its free without any
trade

if was a paid software they will have more security and not hacking but its free and open source
we do not know what is behind

track your PCS using wireshark

aapanel they are controlling your server and still what you have hosted

aaPanel_Captain

Vereato Our code is open source, you can review the code at any time

Vereato

aaPanel_Captain

as your software its open source so give me the full source code to install as my own
and not install from your servers

installing from url links and from your server i do not know what comes inside my server
my aapanel was changed my username and password was changed and
i was stoped to add more websites i just have 5 websites running and to add more gived me errors
my username and password was changed and i m just the only person on here who has access to the aapanel

no one else

i trace using wireshark and you are remote controlled to aapanel servers you guys are still people information and stilling people websites and information as credit card and have access to databases

Vereato

i will contact interpol police and net police for investigation

good luck

aapanel_user

I'll just leave it here

Vereato i always use the same credentials for all my PCs its the same password and username

« Previous Page Next Page »