CyberPanel Servers Hacked via pre-auth RCE October 28th 2024

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!

Introduction

On October 28th 2024 Cyberpanel posted the following on their Facebook page.

Hello everyone!

We’ve recently made some important security updates which you can read in our blog.

It is highly recommended to upgrade CyberPanel as soon as possible ->

Unfortunately there was no blog post. Until today (October 30th 2024) which goes on to explain the issue, it’s light and discusses how to resolve it the issue.

Detials and fix of recent security issue and patch of CyberPanel
Hope everyone is doing well. We understand that many users are concerned and reaching out to us. We’re working hard to resolve all issues, and it’s important
cyberpanel.net

What happened?

There is currently a root RCE (Remote Code Execution) bug within CyberPanel. It was discovered and disclosed to CyberPanel by DreyAnd or @dreyand_ (Twitter).

https://twitter.com/dreyand_/status/1850349186056691835

You can read the full disclosure on their blog.

Few months ago I was assigned to do a pentest on a target running CyberPanel. It seemed to be installed by default by some VPS providers & it was also sponsored by Freshworks.

I was clueless on how to pwn the target as the functionalities were very limited, so I thought about it differently, let’s just find a 0day ¯_(ツ)_/¯ .

This lead to a 0-click pre-auth root RCE on the latest version (2.3.6 as of now). It’s currently still “unpatched”, as in, the maintainers have been notified, a patch has been done but still waiting for the CVE & for the fix to make the make it to he main release. You can find the patch commit at https://github.com/usmannasir/cyberpanel/commit/5b08cd6d53f4dbc2107ad9f555122ce8b0996515 .

What Are My OPTIONS? CyberPanel v2.3.6 pre-auth RCE
Few months ago I was assigned to do a pentest on a target running CyberPanel. It seemed to be installed by default by some VPS providers & it was also sponsored by Freshworks.
dreyand.rs

Why was my server hacked? Why didn’t CyberPanel announce anything?

CyberPanel was informed of the vulnerability and the PoC (proof of concept) which was released by the researcher on October 27th 2024 after confirmation from the CyberPanel team.

They even made a commit to patch the RCE on October 23rd 2024, but unfortunately never created a release.

bug fix: pre-auth · usmannasir/cyberpanel@5b08cd6 · GitHub
Cyber Panel – The hosting control panel for OpenLiteSpeed – bug fix: pre-auth · usmannasir/cyberpanel@5b08cd6
github.com

Confirmation on CyberPanel Updates and Releases

As mentioned above, CyberPanel has yet to make an official release for this security issue. Usman Nasir has posted the following on the Facebook CyberPanel group.

I also want to address some misinformation circulating. A recent blog post claimed that we committed and released a patch but did not make it an official release. This is incorrect. CyberPanel is installed directly from GitHub, so every commit to the branch is automatically included in the latest upgrades and installs, which has been in effect for over a week now.

CyberPanel Website Changelog is from September 2023

If you visit the cyberpanel.net site and view the changelog posted, the last update was September 19th 2024.

Change Logs – Knowledge Base
Dated: 19th September 2024
cyberpanel.net

CyberPanel Update Method

Unfortunately, CyberPanel doesn’t follow the typical development cycle that you might find with other open-source projects. As you can see from the screenshot below, the last release of CyberPanel was v1.9.1 on October 15th 2019.

However, this is misleading because CyberPanel updates based on branches. So to see the latest version of CyberPanel, you must view all branches. This is where you can see that v2.3.8 seems to be the latest. However, there is no changelog, unfortunately, for this release.

Searching for Vulnerable CyberPanel Instances

How did the attack happen so quickly? Well, it’s pretty easy to figure out CyberPanel instances exposed to the internet via TCP port 8090 using fofa.info

Awesome-FOFA/Get Started with FOFA/A Beginner‘s Guide.md at main · FofaInfo/Awesome-FOFA · GitHub
The FOFA Library collects usage tips, common scenarios, F&Q, and more for FOFA. – Awesome-FOFA/Get Started with FOFA/A Beginner‘s Guide.md at main · FofaInfo/Awesome-FOFA
github.com

What is FOFA?

FOFA is a search engine for mapping the cyberspace, aimed at helping users search for internet assets on the public network. Simply put, FOFA operates like Google or Baidu, where users can input keywords to match data containing those keywords. However, unlike Google or Baidu, the data searched by FOFA includes assets such as cameras, printers, databases, and operating systems.

Cyberspace mapping can be considered a “map” of the cyberspace. Similar to how Google Maps map out terrains through satellite images, cyberspace mapping also detects global network assets through technological probes.

However, the cyberspace is divided into public and private networks. FOFA mainly detects assets on the public network, similar to the buildings (IP addresses) on Google Maps. Although the exterior structure and scale of the building can be seen, the interior cannot be understood. This is because violating the privacy of the private network is illegal.

Here is the direct link to the search

https://en.fofa.info/result?qbase64=YXBwPSJDeWJlclBhbmVsIg%3D%3D

Here’s the search query

app="CyberPanel"

Number of Vulnerable Servers going down

From this Twitter post, the number of vulnerable servers has gone down. It would seem someone is using the RCE to patch affected hosts.

https://twitter.com/leak_ix/status/1851275663337984399

Ransomware Malware Utilized During Attack

Some CyberPanel servers have been hit with ransomware malware, there’s actually multiple different types. And depending you could have been infected by the first, second and third and sometimes there is no key around to decrypt.

Here are the twitter posts.

It’s so bad, files were encrypted 2 times, 1 time for each group.
TLDR:
R1 encrypted files to .locked
R2 encrypted files to .encryp ( even the .encryp ones done by R1)
R3 (PSAUX) encrypted files (badly) and crashed everything

https://twitter.com/leak_ix/status/1851609898129260562

Blog Posts and News Articles

Don’t Clean up your Infected CyberPanel Server, Restore from Backups

It’s not advised to clean up your server. Instead you should restore from backups and utilize a different control panel at this time. If you have have sites with Stripe keys etc, you should re-generate those keys.

Blocking CyberPanel RCE Attack

Upgrade CyberPanel to the Latest Version, you can do so by visiting CyberPanel’s Upgrade guide.

02 – Upgrading CyberPanel – 01 – Install/Upgrade – CyberPanel Community
Upgrading CyberPanel The following command can be used to upgrade to the latest version. sh <(curl https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh || wget -O – https://raw.githubusercont…
community.cyberpanel.net

Here is the one-liner from the above doc.

sh <(curl https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh || wget -O - https://raw.githubusercontent.com/usmannasir/cyberpanel/stable/preUpgrade.sh)

Upgrade CyberPanel code database/views.py One Liner

You can run the following script and it will update the affected file database/views.py with the latest Github version. Use this if you’re unable to upgrade CyberPanel

if ! grep -B5 'currentACL = ACLManager.loadedACL(userID)' /usr/local/CyberCP/databases/views.py | grep -q upgrademysqlstatus; then
  echo "Downloading and replacing views.py..."
  wget -q https://raw.githubusercontent.com/usmannasir/cyberpanel/refs/heads/stable/databases/views.py -O /usr/local/CyberCP/databases/views.py
else
  echo "views.py is already up-to-date."
fi

Cleaning up Infected CyberPanel Servers

If you’re still looking to clean-up your server. Then I’ll provide some details below.

Kinsing Malware

It looks as though some of the infections are automated, and uses the kinsing Malware.

Kinsing Malware Hides Itself as a Manual Page and Targets Cloud Servers
Tenable Cloud Security Research Team discovered that Kinsing malware, known for targeting Linux-based cloud infrastructures, exploits Apache Tomcat servers.
www.tenable.com

CyberPanel Community Forum Infection Clean-up Post

The following CyberPanel Community Forum Post goes into details about cleaning up your system.

Critical Security Alert: Vulnerable CyberPanel Instance Detected on Your Network – #14 by sajetek_developer – Support and Discussion – CyberPanel Community
Hello, You are receiving this message because LeakIX’s NetworkGuardian has identified a critical security vulnerability on your network. If you are a hosting provider, we would appreciate your cooperation in notifying t…
community.cyberpanel.net

Restoring SSH Access

Proxmox Guest

If you’re using cloud-init, you can enable the option to set a password. On Ubuntu systems this will set the ubuntu user password and then you can run sudo su -

Malware Clean-up

There seems to be a couple of variants of malware that you could be potentially be infected with.

  • kinsing

Ransomware

Another piece of malware actually seems to be ransomware looks to encrypt all files and databases and provides a README on how to send money to decrypt the database.

Help with Malware Clean-up

If you’re looking to have your server cleaned-up, I do need some infected servers to test this script on. Visit our contact page to get in touch. Best method is through Discord.

Kinsing Malware Clean-up

The following section will go through the Kinsing Malware Clean-up

Kinsing Malware Clean-up Shell Script

The following is a shell script that can help to automate the clean-up. It’s a work in progress, so make sure to create an issue on the Github.

GitHub – managingwp/kinsing-cleanup
Contribute to managingwp/kinsing-cleanup development by creating an account on GitHub.
github.com

Kinsing Malware Manual Clean-up Steps

I’ve created the following guide to help clean-up your CyberPanel server after it’s been infected with the Kinsing malware. I’ve take the information from the CyberPanel Community Forum post and add more details.

Critical Security Alert: Vulnerable CyberPanel Instance Detected on Your Network – #19 by abdo94 – Support and Discussion – CyberPanel Community
Hello, You are receiving this message because LeakIX’s NetworkGuardian has identified a critical security vulnerability on your network. If you are a hosting provider, we would appreciate your cooperation in notifying t…
community.cyberpanel.net

Step 1: Disable Cron

The malware will re-infect the server using the system cron, so for now we will stop cron.

systemctl stop cron

Step 2: Delete Malware Files

Remove the following files to handicap the malware.

rm -f /etc/data/kinsing
rm -f /etc/kinsing
rm -f /tmp/kdevtmpfsi
rm -rf /usr/lib/secure
rm -f /usr/lib/secure/udiskssd
rm -f /usr/bin/network-setup.sh
rm -f /usr/.sshd-network-service.sh
rm -rf /usr/.network-setup
rm -f /usr/.network-setup/config.json
rm -f /usr/.network-setup/xmrig-*tar.gz
rm -f /usr/.network-watchdog.sh'
rm -f /tmp/kdevtmpfsi
rm -f /etc/data/libsystem.so
rm -f /etc/data/kinsing
rm -f /dev/shm/kdevtmpfsi

If any of the files fail to delete, you may want to remove immutable flag from the file and directory.

chattr -i secure/udiskssd
chattr -i secure

Step 3: Remove Suspicious Service

systemctl stop bot.service
systemctl disable bot.service
rm /lib/systemd/system/bot.service
systemctl daemon-reload

systemctl stop systemd_s.service
systemctl disable systemd_s.service
rm /etc/systemd/system/systemd_s.service

systemctl stop sshd-network-service.service
systemctl disable sshd-network-service.service
rm /etc/systemd/system/sshd-network-service.service

systemctl stop network-monitor.service
systemctl disable network-monitor.service
rm /etc/systemd/system/network-monitor.service

Step 4: Kill Suspicious Processes

ps -aux | grep -E 'kinsing|udiskssd|kdevtmpfsi|bash2|.network-setup|syshd|atdb' | awk {' print $2 '} | xargs kill -9

Step 5: Unload pre-loaded libraries (Delete /etc/ld.so.preload)

  1. You might file the file /etc/ld.so.preload exists with the following:
      /etc/data/libsystem.so
      1. Delete this file
        rm /etc/ld.so.preload
        1. Locate all processes that loaded libsystem.so and kill them.
        lsof | grep libsystem.so | awk {' print $2 '} | xargs kill -9

        Step 6: Delete Suspicious Cron Jobs

        Malware often adds tasks to crontab to automatically restart itself. To remove suspicious crontab entries:

        1. Open the root crontab:
        sudo crontab -e
        
        1. Delete any unknown or suspicious lines.
        image
        * Crons for user root: in /var/spool/cron/crontabs/root:
        */3 * * * * /usr/lib/secure/atdb

        If you get an error deleting the crontab, then run the following

        chattr -ia /var/spool/cron/crontabs/root
        chattr -ia /var/spool/cron/root

        Additional Steps to Clean up Infection

        You should also consider completing the following steps to ensure that you’ve cleared out the infection entirely.

        1 – Install chkrootkit and rkhunter

        You can do this after you’ve stop the infection from spawning over and over and to furter cleanup the system.

        apt-get install chkrootkit rkhunter

        Then do a scan

        rkhunter --check

        Then review the log for “Warn”.

        2 – Using find -mtime

        You can use find to locate files that have been modified within the last 2 days.

        find . -mtime 2

        You can change the 2 to 1 for files modified in the last day before or 0 for last 24 hours.

        Change Log

        • 10-30-2024 – Added Ransomware Malware section
        • 10-30-2024 – Added section on number of vulnerable servers decrease.
        • 10-29-2024 – Added section for Kinsing shell script.
        • 10-29-2024 – Add Proxmox section for Restoring SSH Access via cloud-init
        0 Shares:

        You May Also Like