Hello Jose

We have been using and testing aaPanel for a few months now, so far there have been no complaints, but now there is a serious problem that is caused by an extremely large number of attacks from the network and IP inventory baidu.com and so on is in turn connected to BaoTa which is a fork of BaoTa.

This post is about tracking aaPanel https://www.aapanel.com/forum/d/1504-about-the-tracking-code-of-the-aapanel-installation-script/6

So please openly and transparently these tracking codes are used to attack web servers.

There is no other way to explain it, 90% of the IPs that attack our systems are from this network and all of our customers are currently experiencing the same problems!

So please comment on this

lol...
share more details about the attack (port, dest, layer, examples?).
how are you relating these ip's with baota/aapanel?
where are the proofs of what you're saying?

We use various tools and we have a firewall from its log, we can see where the attacks come from, plus some other network monitoring tools and you can use this to determine where and from which network the IPs come.
https://www.ultratools.com/tools/ipWhoisLookup but we still have many far-reaching options that I do not want to explain further here (company secrets).

Source: whois.apnic.netIP Address: 106.12.215.244
% [whois.apnic.net]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

% Information related to '106.12.0.0 - 106.13.255.255'

% Abuse contact for '106.12.0.0 - 106.13.255.255' is 'ipas@cnnic.cn'

inetnum: 106.12.0.0 - 106.13.255.255
netname: Baidu
descr: Beijing Baidu Netcom Science and Technology Co., Ltd.
descr: Baidu Plaza, No.10, Shangdi 10th street,
descr: Haidian District Beijing, 100080
admin-c: SD753-AP
tech-c: SD753-AP
country: CN
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-irt: IRT-CNNIC-CN
mnt-routes: MAINT-CNNIC-AP
status: ALLOCATED PORTABLE
last-modified: 2015-01-28T09: 58: 01Z
source: APNIC

irt: IRT-CNNIC-CN
address: Beijing, China
e-mail: ipas@cnnic.cn
abuse-mailbox: ipas@cnnic.cn
admin-c: IP50-AP
tech-c: IP50-AP
auth: # Filtered
remarks: Please note that CNNIC is not an ISP and is not
remarks: empowered to investigate complaints of network abuse.
remarks: Please contact the tech-c or admin-c of the network.
mnt-by: MAINT-CNNIC-AP
last-modified: 2017-11-01T08: 57: 39Z
source: APNIC

person: Supeng Deng
nic-hdl: SD753-AP
address: No.6 2nd North Street Haidian District Beijing
country: CN
phone: + 86-10-58003402
fax-no: + 86-10-58003402
e-mail: zhangyukun@baidu.com
mnt-by: MAINT-CNNIC-AP
last-modified: 2016-11-01T08: 04: 01Z
source: APNIC

% Information related to '106.12.192.0/18AS38365'

route: 106.12.192.0/18
descr: Baidu
country: CN
origin: AS38365
notify: zhangyukun@baidu.com
mnt-by: MAINT-CNNIC-AP
last-modified: 2017-12-21T08: 06: 02Z
source: APNIC

% Information related to '106.12.192.0/18AS55967'

route: 106.12.192.0/18
descr: Baidu
country: CN
origin: AS55967
notify: zhangyukun@baidu.com
mnt-by: MAINT-CNNIC-AP
last-modified: 2017-12-21T08: 06: 02Z
source: APNIC

% This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US4)

almost all attacks come from the network from 106.12.0.0 - 106.13.255.255

and a few more of which we trace up to

netname: Baidu
descr: Beijing Baidu Netcom Science and Technology Co., Ltd.
descr: Baidu Plaza, No.10, Shangdi 10th street,
descr: Haidian District Beijing, 100080

could trace back, using vpn / proxyserver.

this is just a small excerpt, we can count thousands of attacks from this and last month. almost all of them went from the IP range 106.12.0.0 to 106.12.255.255 from the area of Haidian District Beijing, 100080

2020-06-14 23:48:02 94.102.56.151 Received / blocked user_agent
2020-06-14 23:47:58 94.102.56.151 Received / blocked user_agent
2020-06-14 20:44:14 174.86.121.243 Get /configuration.php.swp Blocked
2020-06-14 20:44:07 84.138.42.168 received /configuration.php blocked url
2020-06-14 20:43:57 19.153.97.227 Obtained /configuration.php.bak Blocked
2020-06-14 20:43:54 108.208.61.1 Get /configuration.php.old Blocked

KrzysztofMaciejewski
it's about aaPanel being used to hack servers, I can't tell my customers what and who to block, I recommend it to everyone.

Do you have any other questions from Germany? Hesse?

    Hello CQT

    We have no collecting other information other than collecting the installation information stated in the above post.

    Do you see any attacks against the panel? If it is, I think it is just a normal scanner scan

      aaPanel_Jose

      give me your email, I will send you the link for the anonymized logs, then you will see it yourself !!!

      I would advise you to read the article carefully and consider it. All attacks come from the inetnum: 106.12.0.0 - 106.13.255.255
      netname: Baidu
      descr: Beijing Baidu Netcom Science and Technology Co., Ltd.
      descr: Baidu Plaza, No.10, Shangdi 10th street,

      Could be traced back until then, on a web server alone, almost 1800 supposed scanner scans were carried out in one day, including the alleged data such as /backup.zip and /web.zip, /configuration.php.swp, / configuration. Find php ~, /configuration.php.bak, especially since these files never existed! Furthermore, the logs rose from approx. 10MB per month to 625 MB in just 20 days.

      All log files

      I will not publish any logs here, especially not live, because these are customer data. Recommend to look at your logs and especially on the IPs 106.12.0.0 to
      106.13.255.255, also other networks from Baidu Plaza and the surrounding area and then everyone can decide for themselves. We will first take aaPanel from our servers and revise it ourselves.

        I am SUPER confused why everybody here is so fast to say "Lies. all lies" instead of saying "hmnn, this is troubling, we should all, as a community look into this more, find out what's going on one way or another because this would help all of us".

        I am SUPER confused why everybody here is so fast to say "china want to kill us" ......

        chill bro

          CQT
          they are tying to hack by checking bad configuration as its opensource they can read all files related to panel and trying to scan files related to aapanel to see loopholes to grab into server.
          hope aapnel is more secure system to block this spammers and attackers
          @aaPanel_Jose
          if possible add alert system via email for any files changes and to lock files for any changes with a button on panel under domains enable and disable

            KrzysztofMaciejewski Well, I for one am not saying that at all, but to me, security is pretty serious and any time there is a question, it should be taken seriously and looked into. For you, maybe you don't care too much I guess.