Live Blog

Cyberpanel Security Issue – Default Password During Setup

Content Error or Suggest an Edit

Notice a grammatical error or technical inaccuracy? Let us know; we will give you credit!

Introduction

There was a post on Facebook that was brought to my attention. The user was seeing a high cpu load on his server from a process that wasn’t a normal process name, it was concluded that their server had been hacked and was now either attack other websites or mining crypto.

The user had installed Cyberpanel and choose the default password method during the setup, and most likely an automated scan found their Cyberpanel instance on port 7080 and was able to login using the default login.

Why are default passwords a problem?

Well, CISA says that hardware and software vendors should not be using default passwords for their products. Here’s a direct link to the post by CISA

https://www.cisa.gov/news-events/alerts/2013/06/24/risks-default-passwords-internet

Here’s a better breakdown from Bleeping Computer.

CISA urges tech manufacturers to stop using default passwords
Today, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged technology manufacturers to stop providing software and devices with default passwords.
www.bleepingcomputer.com

Now, some might blame the person who installed Cyberpanel, which is valid. You should be changing default passwords as a security standard. But as CISA notes.

Years of evidence have demonstrated that relying upon thousands of customers to change their passwords is insufficient, and only concerted action by technology manufacturers will appropriately address severe risks facing critical infrastructure organizations

Why hasn’t the default password in CyberPanel been addressed?

There was a PR submitted to fix this by Nick Chomey, but was ignored by the maintainer of Cyberpanel.

Change default password to random by nickchomey · Pull Request #877 · usmannasir/cyberpanel · GitHub
There is no reason at all that the default should be 1234567. In fact, that shouldn’t even be an option. This sets the default to a random 16 character pw, or you can manually set one that is 8 characters or more.
github.com

So I opened an issue on the Github repository for Cyberpanel to see if it would get some traction.

[SECURITY] Default Password During Installation · Issue #1175 · usmannasir/cyberpanel · GitHub
Describe the bug During the installation of Cyberpanel, if you choose the default login details and they’re not changed attackers who locate your server can utilize this login to gain root access and take over the server. This is a huge …
github.com

There is also a post on their forum talking about this same situation.

Infected with xmRIG virus – General Discussion – CyberPanel Community
The free version of OPenLiteSpeed was selected for installation I had a server with only CyberPanel installed and somehow got xmRig Trojan two days later Are there any friends who have similar experiences with me, I…
community.cyberpanel.net

I took a screenshot incase they delete the issue and PR.

Screenshots

PR #877

Github Issue

0 Shares: