Hello Jose We have been using and testing aaPanel for a few months now, so far there have been no complaints, but now there is a serious problem that is caused by an extremely large number of attacks from the network and IP inventory baidu.com and so on is in turn connected to BaoTa which is a fork of BaoTa. This post is about tracking aaPanel https://www.aapanel.com/forum/d/1504-about-the-tracking-code-of-the-aapanel-installation-script/6 So please openly and transparently these tracking codes are used to attack web servers. There is no other way to explain it, 90% of the IPs that attack our systems are from this network and all of our customers are currently experiencing the same problems! So please comment on this

This news is very dangerous for us

[unknown] baidu and bt.cn both are chinese!!!

lol... share more details about the attack (port, dest, layer, examples?). how are you relating these ip's with baota/aapanel? where are the proofs of what you're saying?

We use various tools and we have a firewall from its log, we can see where the attacks come from, plus some other network monitoring tools and you can use this to determine where and from which network the IPs come. https://www.ultratools.com/tools/ipWhoisLookup but we still have many far-reaching options that I do not want to explain further here (company secrets). Source: whois.apnic.netIP Address: 106.12.215.244 % [whois.apnic.net] % Whois data copyright terms http://www.apnic.net/db/dbcopyright.html % Information related to '106.12.0.0 - 106.13.255.255' % Abuse contact for '106.12.0.0 - 106.13.255.255' is ' ipas@cnnic.cn ' inetnum: 106.12.0.0 - 106.13.255.255 netname: Baidu descr: Beijing Baidu Netcom Science and Technology Co., Ltd. descr: Baidu Plaza, No.10, Shangdi 10th street, descr: Haidian District Beijing, 100080 admin-c: SD753-AP tech-c: SD753-AP country: CN mnt-by: MAINT-CNNIC-AP mnt-lower: MAINT-CNNIC-AP mnt-irt: IRT-CNNIC-CN mnt-routes: MAINT-CNNIC-AP status: ALLOCATED PORTABLE last-modified: 2015-01-28T09: 58: 01Z source: APNIC irt: IRT-CNNIC-CN address: Beijing, China e-mail: ipas@cnnic.cn abuse-mailbox: ipas@cnnic.cn admin-c: IP50-AP tech-c: IP50-AP auth: # Filtered remarks: Please note that CNNIC is not an ISP and is not remarks: empowered to investigate complaints of network abuse. remarks: Please contact the tech-c or admin-c of the network. mnt-by: MAINT-CNNIC-AP last-modified: 2017-11-01T08: 57: 39Z source: APNIC person: Supeng Deng nic-hdl: SD753-AP address: No.6 2nd North Street Haidian District Beijing country: CN phone: + 86-10-58003402 fax-no: + 86-10-58003402 e-mail: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2016-11-01T08: 04: 01Z source: APNIC % Information related to '106.12.192.0/18AS38365' route: 106.12.192.0/18 descr: Baidu country: CN origin: AS38365 notify: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2017-12-21T08: 06: 02Z source: APNIC % Information related to '106.12.192.0/18AS55967' route: 106.12.192.0/18 descr: Baidu country: CN origin: AS55967 notify: zhangyukun@baidu.com mnt-by: MAINT-CNNIC-AP last-modified: 2017-12-21T08: 06: 02Z source: APNIC % This query was served by the APNIC Whois Service version 1.88.15-SNAPSHOT (WHOIS-US4) almost all attacks come from the network from 106.12.0.0 - 106.13.255.255 and a few more of which we trace up to netname: Baidu descr: Beijing Baidu Netcom Science and Technology Co., Ltd. descr: Baidu Plaza, No.10, Shangdi 10th street, descr: Haidian District Beijing, 100080 could trace back, using vpn / proxyserver.

this is just a small excerpt, we can count thousands of attacks from this and last month. almost all of them went from the IP range 106.12.0.0 to 106.12.255.255 from the area of Haidian District Beijing, 100080 2020-06-14 23:48:02 94.102.56.151 Received / blocked user_agent 2020-06-14 23:47:58 94.102.56.151 Received / blocked user_agent 2020-06-14 20:44:14 174.86.121.243 Get /configuration.php.swp Blocked 2020-06-14 20:44:07 84.138.42.168 received /configuration.php blocked url 2020-06-14 20:43:57 19.153.97.227 Obtained /configuration.php.bak Blocked 2020-06-14 20:43:54 108.208.61.1 Get /configuration.php.old Blocked

block this IP class + use Fail2Ban for all services + use CloudFlare to proxy all websites on server

KrzysztofMaciejewski it's about aaPanel being used to hack servers, I can't tell my customers what and who to block, I recommend it to everyone. Do you have any other questions from Germany? Hesse?

i dont see any proof - its normal attack from "friendly" country could happen to anyone

Hello CQT We have no collecting other information other than collecting the installation information stated in the above post. Do you see any attacks against the panel? If it is, I think it is just a normal scanner scan

so because is a chinese ip you think is aapanel the source? .... ok XD anyway i still don't see any proof

Hacking attacks with and through aaPanel

klaus

Jimmy That is mostly because IPv4 is reused big times, on OVH i had 600 ssh requests because the ip was reused so don't blame the tool, i'm not sure if this panel is safe but for sure on a production server i won't use any panel not even the paid one's, this one is good for fast dev deployment so is a usefull tool. Who use a panel for production and talk about security and employers that do that and that and they can't make a proper log common sense lol. Look at GoDaddy's cPanel hacking to understand how secure it was.

With this one you have the source code atleast but i still not recommend to use any panel in a production server.

aaP_hareeshnarayan1982

Port scanning and brute force is also common, This is nothing related to panel. As this panel is having more than a million installation, definitely it will be a target for bad boys.
Some prevention for production servers

Go with SSH login and disable root once everything is done.
Secure shared memory by adding tmpfs /run/shm tmpfs defaults,noexec,nosuid 0 0 in /etc/fstab
Install fail2ban and activate server protection for sshd, ftp, mysql etc
NGINX WAF for website.
Add cloudflare if possible and block ip having threatscore above 14.
Add captcha challenge for countries like china, and other if needed.
Change ssh port to anything between 100 and 1024.
Make Sure No Non-Root Accounts Have UID Set To 0
Enable SSH Login for Specific Users Onl

Anyone can add points to this as its good for everyone.

klaus

deewinc And you think that audit make it more secure?
GoDaddy's cPanel was hacked even if it is one of the oldest panel and with hundreds of hours of research, when someone want to hack you will not fail just because your panel have a security audit lol.

Anything can be hacked once it has access to the internet.

deewinc

klaus Anything can be hacked once it has access to the internet.

You've missed the point.

Verified audits by independent parties help to build trust in a product.

GoDaddy was hacked because of a vulnerability on cPanel. And people won't stop using cPanel because it undergoes various security audits, and users know the zero-day issues will be fixed.

The lack of an independent audit means there are many vulnerabilities present that are unknown to the end-user.

« Previous Page