Hello Jose We have been using and testing aaPanel for a few months now, so far there have been no complaints, but now there is a serious problem that is caused by an extremely large number of attacks from the network and IP inventory baidu.com and so on is in turn connected to BaoTa which is a fork of BaoTa. This post is about tracking aaPanel https://www.aapanel.com/forum/d/1504-about-the-tracking-code-of-the-aapanel-installation-script/6 So please openly and transparently these tracking codes are used to attack web servers. There is no other way to explain it, 90% of the IPs that attack our systems are from this network and all of our customers are currently experiencing the same problems! So please comment on this

This news is very dangerous for us

[unknown] baidu and bt.cn both are chinese!!!

lol... share more details about the attack (port, dest, layer, examples?). how are you relating these ip's with baota/aapanel? where are the proofs of what you're saying?

We use various tools and we have a firewall from its log, we can see where the attacks come from, plus some other network monitoring tools and you can use this to determine where and from which network the IPs come. https://www.ultratools.com/tools/ipWhoisLookup but we still have many far-reaching options that I do not want to explain further here (company secrets). Source: whois.apnic.netIP Address: 106.12.215.244 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '106.12.0.0 - 106.13.255.255' % Abuse contact for '106.12.0.0 - 106.13.255.255' is ' ipas@cnnic.cn ' inetnum: 106.12.0.0 - 106.13.255.255 netname: Baidu descr: Beijing Baidu Netcom Science and Technology Co., Ltd. descr: Baidu Plaza, No.10, Shangdi 10th street, descr: Haidian District Beijing, 100080 admin-c: SD753-AP tech-c: SD753-AP country: CN mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN mnt-routes: MAINT-CNNIC-AP status: ALLOCATED PORTABLE last-modified: 2015-01-28T09: 58: 01Z source: APNIC irt: IRT-CNNIC-CN address: Beijing, China e-mail: ipas@cnnic.cn abuse-mailbox: ipas@cnnic.cn admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP last-modified: 2017-11-01T08: 57: 39Z source: APNIC person: Supeng Deng nic-hdl: SD753-AP address: No.6 2nd North Street Haidian District Beijing country: CN phone: + 86-10-58003402 fax-no: + 86-10-58003402 e-mail: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2016-11-01T08: 04: 01Z source: APNIC % Information related to '106.12.192.0/18AS38365' route: 106.12.192.0/18 descr: Baidu country: CN origin: AS38365 notify: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2017-12-21T08: 06: 02Z source: APNIC % Information related to '106.12.192.0/18AS55967' route: 106.12.192.0/18 descr: Baidu country: CN origin: AS55967 notify: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2017-12-21T08: 06: 02Z source: APNIC % This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US4) almost all attacks come from the network from 106.12.0.0 - 106.13.255.255 and a few more of which we trace up to netname: Baidu descr: Beijing Baidu Netcom Science and Technology Co., Ltd. descr: Baidu Plaza, No.10, Shangdi 10th street, descr: Haidian District Beijing, 100080 could trace back, using vpn / proxyserver.

this is just a small excerpt, we can count thousands of attacks from this and last month. almost all of them went from the IP range 106.12.0.0 to 106.12.255.255 from the area of Haidian District Beijing, 100080 2020-06-14 23:48:02 94.102.56.151 Received / blocked user_agent 2020-06-14 23:47:58 94.102.56.151 Received / blocked user_agent 2020-06-14 20:44:14 174.86.121.243 Get /configuration.php.swp Blocked 2020-06-14 20:44:07 84.138.42.168 received /configuration.php blocked url 2020-06-14 20:43:57 19.153.97.227 Obtained /configuration.php.bak Blocked 2020-06-14 20:43:54 108.208.61.1 Get /configuration.php.old Blocked

block this IP class + use Fail2Ban for all services + use CloudFlare to proxy all websites on server

KrzysztofMaciejewski it's about aaPanel being used to hack servers, I can't tell my customers what and who to block, I recommend it to everyone. Do you have any other questions from Germany? Hesse?

i dont see any proof - its normal attack from "friendly" country could happen to anyone

Hello CQT We have no collecting other information other than collecting the installation information stated in the above post. Do you see any attacks against the panel? If it is, I think it is just a normal scanner scan

so because is a chinese ip you think is aapanel the source? .... ok XD anyway i still don't see any proof

Hacking attacks with and through aaPanel

swsemnto

@cib3r can you tell us what setting you put on your f2ban?

thank you

adk

CQT
106.12.0.0 - 106.13.255.255 this seems to be China's search engine Baidu crawler robot.

swsemnto

my fail2ban log
anti-cc
screenshot1
ssh
screenshot2

deewinc

cib3r BUT.... I had to block the whole of China IP due to massive attacks on ssh port 22 ( f2ban was reporting 50,000+ attempts in 48hrs)

I don't think this is a problem of aaPanel or because aaPanel is made in China. I have CyberPanel and attacks coming from China are usually massive. Change the SSH port to something else. This helped to block out the server-side attacks to zero.

CyberPanel also supports CSF and that's so robust and keeps website safe.

Vereato

Yes my aapanel username and password was changed
and the web scripts i have hosted was stolen from my ubuntu
and i remote the connections where came from and from china

same network as aapanel

wireshark is the best network app for track any hacking

aapanel its free open source what do you expect about this nothing in this world its free without any
trade

if was a paid software they will have more security and not hacking but its free and open source
we do not know what is behind

track your PCS using wireshark

aapanel they are controlling your server and still what you have hosted

aaPanel_Captain

Vereato Our code is open source, you can review the code at any time

Vereato

aaPanel_Captain

as your software its open source so give me the full source code to install as my own
and not install from your servers

installing from url links and from your server i do not know what comes inside my server
my aapanel was changed my username and password was changed and
i was stoped to add more websites i just have 5 websites running and to add more gived me errors
my username and password was changed and i m just the only person on here who has access to the aapanel

no one else

i trace using wireshark and you are remote controlled to aapanel servers you guys are still people information and stilling people websites and information as credit card and have access to databases

Vereato

i will contact interpol police and net police for investigation

good luck

aapanel_user

I'll just leave it here

Vereato i always use the same credentials for all my PCs its the same password and username

aaP-aris

Hello, I am new to aaPanel. I came to this panel because I was looking at a free solution, alternative to cpanel/plesk and after using webmin/virtualmin, cyber panel, centos web admin, I had to find something more stable. I immediately loved aaPanel. But then, I faced the same problems as discussed in this thread. Many friends of mine who are pentesters faced the same issues even though they have not used aaPanel. Though I confirm that after minutes of fresh installations I got massively attacked by China, USA and Russian and some European IPs. I can see that still the problem discussed here hasn't been solved, to the point that somehow our server IPs are leaked or scraped. Below I will explain the solution I followed and solved my problems. 1- I changed the default ports. 2- I changed the admin URI of my website software and created firewall rules to drop connections on the default admin URI. 3- I DID NOT enable Postfix on the webserver, let the experts deal with it. I use Zoho Mail for all my customers and never have to deal with excessive server load cause of postfix, or mail deliverability or sent messages going to customer's spam folder. 4- Enabled Cloudflare and applied the same firewall rules as on my server's firewall. 5- Now except from the usual users (₁₀₀ customers online), I see on my logs some (limited no) of the attack bots are just browsing the website and aaPanel's load is 1-5% and cpu load 0.5-3%.

aaP-aris

I read that there is a problem with the node list of the installer script. So, I did a little experiment. I installed a new VPS test server. I modified the installer script and removed all node references of the bt.cn domain and I left only the US based node.aapanel.com. After the installation my logs are crystal clear. No attacks, no strange visitors or bots. I wish I knew why isn't this a default setting, as I see in the previous posts since 2020 that bt.cn would be replaced at some point completely from the system!

aaP_ptakx

aaP-aris Please, may you explain me wich files and procedure did you followed to do it so?

I get Hacked this week and OVH totally banned me because they considered it was mi making DDos attacks and sending phishing mails from my system.

This is the first time I experience a situation like this and it happend casually with aapanel after 20 days of usage.

Also, which firewall and antivirus do you recommend to me to install on Centos 7 and set it on fulltime realltime supervisor. I don't want to perform manually system analysis to all my clients.

May you share also your firewall settings to block all this identifyed hackers from Russia and China? Or at least to allow only access to the domain from a specific country?

Thank you very much.

aaP-aris

aaP_ptakx I edited the installer script as I mentioned already. The installer script is this: http://www.aapanel.com/script/install_6.0_en.sh

Line 146: nodes=(http://node.aapanel.com http://128.1.164.196 http://45.76.53.20 http://dg2.bt.cn http://dg1.bt.cn http://123.129.198.197 http://125.88.182.172:5880 http://119.188.210.21:5880 http://120.206.184.160 http://113.107.111.78);
Replaced it with nodes=(http://node.aapanel.com http://128.1.164.196);

Line 184: NODE_URL='http://download.bt.cn';
Replaced it with NODE_URL='http://node.aapanel.com';

Line 219: curl -Ss --connect-timeout 3 -m 60 http://download.bt.cn/install/yumRepo_select.sh|bash
Replaced it with curl -Ss --connect-timeout 3 -m 60 http://note.aapanel.com/install/yumRepo_select.sh|bash

Line 224: getBtTime=$(curl -sS --connect-timeout 3 -m 60 http://www.bt.cn/api/index/get_time)
Replaced it with my own implementation of unix timestamp api, but you can leave it as is.

Line 670: isHosts=$(cat /etc/hosts|grep 'www.bt.cn')
Replaced it with isHosts=$(cat /etc/hosts|grep 'node.aapanel.com')

Line 673: echo "103.224.251.67 www.bt.cn" >> /etc/hosts
Replaced it with echo "104.21.79.196 node.aapanel.com" >> /etc/hosts

Line 677: sed -i "/bt.cn/d" /etc/hosts
Replaced it with sed -i "/node.aapanel.com/d" /etc/hosts

I used iptables, fail2ban and the free version of NGINX Firewall, as well as Cloudflare. I cannot share my firewall rules because they are paid, but Clouflare FREE as a proxy should do the work for you too with minimum settings.

For example if you use Wordpress you should definitely change admin url, and block the old URIs from your server's firewall as well from your Cloudflare Firewall. (Edit) Also, you should protect your new admin login URI, from failed logins or throttle/reject/ban the failed login tries to avoid brute force attacks [this is implemented via various plugins and/or firewall settings].

I did not install Mail Server such as Postfix, most attacks come from there.

From the Security tab you can change the SSH port. You must change the default ports from any service you can.

I enabled aaPanel login notifications, as well as 2FA like Google Authentication.

aaP_admin64

CQT

Ip DB from https://www.ipdeny.com/ are not outdated and updated on Sat Dec 4 12:05:34 UTC 2021

How may I import to the list or to Centos 7 Iptables those files lists?

https://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
and https://www.ipdeny.com/ipv6/ipaddresses/blocks/ipv6-all-zones.tar.gz

aaP-aris

Unfortunately, my very first instance of aaPanel, could not afford more attacks. I get frequent Error 502 Bad gateway from Cloudflare. Many customers are calling to report those incidents because they cannot browse the website normally. Even Cloudflare cannot throttle those bots any more. I see many bots bypass the Cloudflare JS Challenge easily and end up overloading my server. Everytime I create new cloudflare firewall rules the bots get more clever and change their attack methods too. I can see that they are using Proxy pools, as every request they make is from different IP and country and as a result cloudflare cannot assume it's suspicious. I get more than 5-6K (only from bots) requests per hour. And today as a result I lost the customer. As I can see from aaPanels admins they don't care about these incidents, as they have not changed the installation script (the bad nodes) since last year that everybody is talking about it!

aaP-aris

I suggest you move to another panel, a panel that the developers care about security! I am really disappointed because I really liked the panel, but it's like I got infected with those bots because of a repository your panel uses to install and update itself!

aaPanel_Jose

aaP-aris
Hello, according to the script node problem you mentioned, do the following

Delete nodes other than node.aapanel.com
Delete the time synchronization script connected to bt.cn

aaP-aris

Clearly you did not read my previous post (#111-#112 & #114) on this thread, as I not only did what you say, but I wrote instructions to the other users on how to do that! The problem is not that I need to modify the installer script, but that you have not already done that for a year now (after so many discussions) to protect your users!!! We should not have to discuss the basics of security.

Today authorities stepped in to collect data about the attacks, they've already been informed about the cause of the attacks and we'll see what will come of it! My customer will formally open a complaint and lawsuit to those responsible.

Jimmy

As I can see now on installer script for Debian. now all bt.cn links are in comments and use only node.aapanel.com, so maybe now in each subsequent installation it may be safer (?)

aaP-aris

Okay, try explain that to your customer who's been attacked and lost a lot of profit, because of disappointed customers who could not even browse the e-shop website!

Jimmy

aaP-aris

You are right, it is a big problem. I watch logs in CloudFlare and I see unwanted and unexpected traffic from bots mainly from China, Singapore, Russia and other countries searching for phpmyadmin url, for searching files, etc. With some rules I try to avoid them (to reduce) but of course spam not stopping here because spam is going also direct to IP (unbound domainds, etc, I have set a default site setted and I see all traffic and IPs...). Fail2Ban is fully of IPs and I have all ports disabled (and enabled to my proxy IP for restricted-safe access) except 443.

« Previous Page Next Page »