I seriously suspect that this version 7.0.7 has a virus.

aaP_leztimmie

I have two VPSs with aapnel installed on them. I seriously suspect that this version has a virus.

the 1st VPS
Ubuntu 22 upgraded to aaPanel 7.0.7, suddenly a large number of illegal requests appeared, and then ufw blocked.

I have tried many times to install the same IP from scratch on this one. As long as aapanel is not installed, there will be no ufw attacks.

I reverted him to the previous version. The attack stops.

the 2nd VPS
Debian11 newly installed aaPanel 7.0.7, and ufw blocked it immediately.

The scary thing is: he can also attack on the local area network.

[ 192.304445] [UFW BLOCK] IN=eth1 OUT= MAC=bc:24:11:9a:2b:ad:bc:24:11:42:75:56:08:00 SRC=163.181.199.244 DST=10.0.11.151 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=2270 DF PROTO=TCP SPT=443 DPT=59294 WINDOW=83 RES=0x00 ACK URGP=0
[ 198.960379] [UFW BLOCK] IN=eth1 OUT= MAC=bc:24:11:9a:2b:ad:bc:24:11:42:75:56:08:00 SRC=163.181.199.244 DST=10.0.11.151 LEN=52 TOS=0x00 PREC=0x00 TTL=52 ID=2272 DF PROTO=TCP SPT=443 DPT=59294 WINDOW=83 RES=0x00 ACK URGP=0

After I uninstalled it. The attack disappears immediately

OH MY GOD!!!!!!!!!!!!!!!!!!

aaPanel_Kern

Hello, this is normal, this is intercepted by ufw,
You can see from the log that the source IP: 163.181.199.244 and source port: 443, the target IP: 10.0.11.151 and the target port: 59294.
The target IP is the LAN IP, which depends on the network environment of your server: you can use ip a to see what the IP of your network card is? 10.0.11.151?
If it is, it means that the network device forwards the traffic to your server.
When installing aapanel, only 80 443 panel port 21 39000-40000 port is opened by default.
You can use nmap to test: nmap -g 443 -p 59294 replace the IP of your server

aaP_leztimmie

NO NO NO

My first VPS did not receive any UFW notifications 7.0.6 before the upgrade. Since upgrading to the latest 7.0.7 , I have received massive UFW intrusion attack notifications.

They come from all different countries.

Finally, luckily I had a backup of the old version 7.0.6 and restored it. There is no such attack notification. Moreover, it disappeared after restoring and restarting. I expressed my disbelief and upgraded to the latest version 7.0.7 again. UFW blocking notifications were again a massive amount of notifications.

aaPanel_Kern

aaP_leztimmie
Hello, it is recommended that you stop aapanel and enable UFW for observation.
Where did you check the massive notifications you mentioned? Are there any relevant screenshots or information?

aaP_leztimmie

[UFW BLOCK] IN=eth0 OUT= MAC=02:00:00:45:aa:8c:04:bd:97:6f:c3:a7:08:00 SRC=87.246.7.94 DST=my publice ip LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=14603 PROTO=TCP SPT=41393 DPT=22305 WINDOW=1024 RES=0x00 SYN URGP=0
[ 607.037326] [UFW BLOCK] IN=eth0 OUT= MAC=02:00:00:45:aa:8c:48:2e:72:c7:0e:f7:08:00 SRC=87.246.7.66 DST=my publice ip LEN=40 TOS=0x00 PREC=0x00 TTL=239 ID=20581 PROTO=TCP SPT=41285 DPT=6577 WINDOW=1024 RES=0x00 SYN URGP=0

show in PVE VM noVNC

aaPanel_Kern

It is recommended that you do a test and reinstall the system on server and only install and start UFW and open the same port. You will also see the intercepted log information.

aaP_leztimmie

GOD!!!!! this is local are network ..............

aaPanel_Kern

This is normal. ufw intercepted it. If you have any questions about the intranet address, please consult the server provider.

aaP_leztimmie

SRC 162.159.200.1 202.118.1.130 , Where does this entrance IP come from?

aaPanel_Kern

aaP_leztimmie
source IP or user IP or Attacker IP