Hello Jose We have been using and testing aaPanel for a few months now, so far there have been no complaints, but now there is a serious problem that is caused by an extremely large number of attacks from the network and IP inventory baidu.com and so on is in turn connected to BaoTa which is a fork of BaoTa. This post is about tracking aaPanel https://www.aapanel.com/forum/d/1504-about-the-tracking-code-of-the-aapanel-installation-script/6 So please openly and transparently these tracking codes are used to attack web servers. There is no other way to explain it, 90% of the IPs that attack our systems are from this network and all of our customers are currently experiencing the same problems! So please comment on this

This news is very dangerous for us

[unknown] baidu and bt.cn both are chinese!!!

lol... share more details about the attack (port, dest, layer, examples?). how are you relating these ip's with baota/aapanel? where are the proofs of what you're saying?

We use various tools and we have a firewall from its log, we can see where the attacks come from, plus some other network monitoring tools and you can use this to determine where and from which network the IPs come. https://www.ultratools.com/tools/ipWhoisLookup but we still have many far-reaching options that I do not want to explain further here (company secrets). Source: whois.apnic.netIP Address: 106.12.215.244 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '106.12.0.0 - 106.13.255.255' % Abuse contact for '106.12.0.0 - 106.13.255.255' is ' ipas@cnnic.cn ' inetnum: 106.12.0.0 - 106.13.255.255 netname: Baidu descr: Beijing Baidu Netcom Science and Technology Co., Ltd. descr: Baidu Plaza, No.10, Shangdi 10th street, descr: Haidian District Beijing, 100080 admin-c: SD753-AP tech-c: SD753-AP country: CN mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN mnt-routes: MAINT-CNNIC-AP status: ALLOCATED PORTABLE last-modified: 2015-01-28T09: 58: 01Z source: APNIC irt: IRT-CNNIC-CN address: Beijing, China e-mail: ipas@cnnic.cn abuse-mailbox: ipas@cnnic.cn admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP last-modified: 2017-11-01T08: 57: 39Z source: APNIC person: Supeng Deng nic-hdl: SD753-AP address: No.6 2nd North Street Haidian District Beijing country: CN phone: + 86-10-58003402 fax-no: + 86-10-58003402 e-mail: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2016-11-01T08: 04: 01Z source: APNIC % Information related to '106.12.192.0/18AS38365' route: 106.12.192.0/18 descr: Baidu country: CN origin: AS38365 notify: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2017-12-21T08: 06: 02Z source: APNIC % Information related to '106.12.192.0/18AS55967' route: 106.12.192.0/18 descr: Baidu country: CN origin: AS55967 notify: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2017-12-21T08: 06: 02Z source: APNIC % This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US4) almost all attacks come from the network from 106.12.0.0 - 106.13.255.255 and a few more of which we trace up to netname: Baidu descr: Beijing Baidu Netcom Science and Technology Co., Ltd. descr: Baidu Plaza, No.10, Shangdi 10th street, descr: Haidian District Beijing, 100080 could trace back, using vpn / proxyserver.

this is just a small excerpt, we can count thousands of attacks from this and last month. almost all of them went from the IP range 106.12.0.0 to 106.12.255.255 from the area of Haidian District Beijing, 100080 2020-06-14 23:48:02 94.102.56.151 Received / blocked user_agent 2020-06-14 23:47:58 94.102.56.151 Received / blocked user_agent 2020-06-14 20:44:14 174.86.121.243 Get /configuration.php.swp Blocked 2020-06-14 20:44:07 84.138.42.168 received /configuration.php blocked url 2020-06-14 20:43:57 19.153.97.227 Obtained /configuration.php.bak Blocked 2020-06-14 20:43:54 108.208.61.1 Get /configuration.php.old Blocked

block this IP class + use Fail2Ban for all services + use CloudFlare to proxy all websites on server

KrzysztofMaciejewski it's about aaPanel being used to hack servers, I can't tell my customers what and who to block, I recommend it to everyone. Do you have any other questions from Germany? Hesse?

i dont see any proof - its normal attack from "friendly" country could happen to anyone

Hello CQT We have no collecting other information other than collecting the installation information stated in the above post. Do you see any attacks against the panel? If it is, I think it is just a normal scanner scan

so because is a chinese ip you think is aapanel the source? .... ok XD anyway i still don't see any proof

Hacking attacks with and through aaPanel

aaP_admin64

CQT

Ip DB from https://www.ipdeny.com/ are not outdated and updated on Sat Dec 4 12:05:34 UTC 2021

How may I import to the list or to Centos 7 Iptables those files lists?

https://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
and https://www.ipdeny.com/ipv6/ipaddresses/blocks/ipv6-all-zones.tar.gz

aaP-aris

Unfortunately, my very first instance of aaPanel, could not afford more attacks. I get frequent Error 502 Bad gateway from Cloudflare. Many customers are calling to report those incidents because they cannot browse the website normally. Even Cloudflare cannot throttle those bots any more. I see many bots bypass the Cloudflare JS Challenge easily and end up overloading my server. Everytime I create new cloudflare firewall rules the bots get more clever and change their attack methods too. I can see that they are using Proxy pools, as every request they make is from different IP and country and as a result cloudflare cannot assume it's suspicious. I get more than 5-6K (only from bots) requests per hour. And today as a result I lost the customer. As I can see from aaPanels admins they don't care about these incidents, as they have not changed the installation script (the bad nodes) since last year that everybody is talking about it!

aaP-aris

I suggest you move to another panel, a panel that the developers care about security! I am really disappointed because I really liked the panel, but it's like I got infected with those bots because of a repository your panel uses to install and update itself!

aaPanel_Jose

aaP-aris
Hello, according to the script node problem you mentioned, do the following

Delete nodes other than node.aapanel.com
Delete the time synchronization script connected to bt.cn

aaP-aris

Clearly you did not read my previous post (#111-#112 & #114) on this thread, as I not only did what you say, but I wrote instructions to the other users on how to do that! The problem is not that I need to modify the installer script, but that you have not already done that for a year now (after so many discussions) to protect your users!!! We should not have to discuss the basics of security.

Today authorities stepped in to collect data about the attacks, they've already been informed about the cause of the attacks and we'll see what will come of it! My customer will formally open a complaint and lawsuit to those responsible.

Jimmy

As I can see now on installer script for Debian. now all bt.cn links are in comments and use only node.aapanel.com, so maybe now in each subsequent installation it may be safer (?)

aaP-aris

Okay, try explain that to your customer who's been attacked and lost a lot of profit, because of disappointed customers who could not even browse the e-shop website!

Jimmy

aaP-aris

You are right, it is a big problem. I watch logs in CloudFlare and I see unwanted and unexpected traffic from bots mainly from China, Singapore, Russia and other countries searching for phpmyadmin url, for searching files, etc. With some rules I try to avoid them (to reduce) but of course spam not stopping here because spam is going also direct to IP (unbound domainds, etc, I have set a default site setted and I see all traffic and IPs...). Fail2Ban is fully of IPs and I have all ports disabled (and enabled to my proxy IP for restricted-safe access) except 443.

aaP-aris

Jimmy bots are very smart nowadays. They can bypass JS challenges. This says a lot. You should see my Cloudflare dashboard. One minute after I block some countries, the next minute I get requests from countries not seen before in the logs.

klaus

Jimmy That is mostly because IPv4 is reused big times, on OVH i had 600 ssh requests because the ip was reused so don't blame the tool, i'm not sure if this panel is safe but for sure on a production server i won't use any panel not even the paid one's, this one is good for fast dev deployment so is a usefull tool. Who use a panel for production and talk about security and employers that do that and that and they can't make a proper log common sense lol. Look at GoDaddy's cPanel hacking to understand how secure it was.

With this one you have the source code atleast but i still not recommend to use any panel in a production server.

Jimmy

Maybe we should find an alternative panel for better security or wait a big update...

aaP-aris

Jimmy Why wait for update of a software that was not built with fundamental security?

deewinc

Jimmy Maybe we should find an alternative panel for better security or wait a big update...

Cyberpanel is much better. They hired Rack911 to help tighten the security. Keep in mind, they were not badly off in terms of security. https://rack911labs.ca/research/security-analysis-of-alternative-control-panels/

aaPanel should follow suit.

aapanel_power We attach great importance to user feedback on security-related issues, because we ourselves are a company that does security operations and maintenance, and if our products are questioned, all our employees will feel bad about it!

You need an independent third-party company to conduct a security audit of aaPanel. There will always be smart asses out there and that's why an independent audit is important.

Jimmy

aaP-aris

So, what free and open source panel you suggest as a alternative?

aaP-aris

Jimmy I will return on FASTPANEL which is a perfect free alternative, but lacks some GUI tools that aaPanel has (which is what caught my attention). You can use them via CLI though.

Jimmy

aaP-aris

Oh yes. I finally found one! I also use FastPanel, I agree that is a perfect alternanative with quick ticket support and more stability. Some specs lacks but is very good on speed, uses different accounts for sites, very low use of memory and mainly Apache + Nginx is perfect (backend go very fast). General FastPanel has logic but needs a better deploy, some parts are a litle mysterious.

aaP-aris

I AGREE 100% 😃 !!!

maverick

heh FastPanel didn't know that one, going to test it!

aaP_admin64

CQT Suggestion! Connect the sys firewall and geoip under one tab. Write Config in such a way that both get the DB from one source (folder) and can access it at the same time. Furthermore, the IP and the entire IP range are queried, which can then be blocked using a button, but which the user can decide for himself whether only the individual IP (Geoip is blocked or the entire network of the IP operator). Then integrate the NGINX firewall into the whole. Because on the one hand it is very confusing, and I also think that everything does not work together so harmoniously.

Which is the full procedure to integrate them all?

Thank you very much

aapanel_power

Make a unified response, our panel is open source, github address: https://github.com/aaPanel/BaoTa
In addition I read most of the responses, is some targeted scanning, such as phpmyadmin use of port 888, redis use of port 6379, if you do not use phpmyadmin or redis, you can remove these ports in the panel security, if you use phpmyadmin, redis, I also do not recommend that you use the default If you use phpmyadmin and redis, I don't recommend you to use the default ports, you can modify them to other ports that are not used by other services. In addition, the service permissions on the panel are accessed by localhost|127.0.0.1 by default, except for the ports that are needed on the panel such as 8888 80 443.
We attach great importance to user feedback on security-related issues, because we ourselves are a company that does security operations and maintenance, and if our products are questioned, all our employees will feel bad about it!
Also if you encounter security related information during use, you can email our team directly to anyone! My email address is: power@aapanel.com

klaus

deewinc And you think that audit make it more secure?
GoDaddy's cPanel was hacked even if it is one of the oldest panel and with hundreds of hours of research, when someone want to hack you will not fail just because your panel have a security audit lol.

Anything can be hacked once it has access to the internet.

aaP-aris

I personally am sorry for speaking harshly, but I do that (I mean to say sorry) because I am human and also a developer and I know how hard it is to maintain something, especially opensource, but I am a perfectionist, and you should do to, because your software is serving a big share of people. Also, you have to understand that your words should follow your actions if you want them to have actual meaning. After a year of comments in this thread I did not see any actions in terms of this matter. There is a vulnerability here. Once your users install the panel using the bt.cn node, instantly their cover is blown and they are suddenly exposed to the world and easy exploitable with automated payloads, this is serious stuff. Thank you!

deewinc

aaP-aris Once your users install the panel using the bt.cn node, instantly their cover is blown and they are suddenly exposed to the world and easy exploitable with automated payloads, this is serious stuff. Thank you!

Unfortunately, aaPanel is rebrand of BT Panel and I think aaPanel developers have to wait for BT Panel developers to do stuff. So in this case, they have to request BT Panel developers to work on it.

« Previous Page Next Page »