2014年1月29日Kloxo漏洞：Default目录上传并对外进行DDOS攻击

这是一份紧急状况，KLOXO爆重要的安全问题，恶意访客通过在KLOXO面板Default目录传入恶意PHP代码(部分如default.php)，实际控制机器进行DDoS攻击(称为发包)，导致VPS或者服务器网络拥塞，机房可能因此null ip。请所有安装使用KLOXO面板的读者朋友密切留意和尽快处理。

VPS用户可使用临时的处理方法，root账户SSH登陆到VPS，执行如下指令：

chmod 000 /home/kloxo/httpd/default
rm -r /home/kloxo/httpd/default/*.php
find /home/admin -type d -name cgi-bin -exec rm -r {} \;

上面的方法解释：
设置/home/kloxo/httpd/default 目录权限为000
删除/home/kloxo/httpd/default/ 目录下的所有php文件
查找/home/admin目录下 类型为目录 名字为cgi-bin的文件并删除

linode发给我的Ticket
ToS Violation - Outbound DoS

Hello,

We have detected an outbound denial of service attack originating from your Linode. It appears that a process internal to your Linode is sending large amounts of malicious traffic towards other servers. We ask that you investigate this matter as soon as possible to determine why this activity is originating from your Linode.

If you were not aware that activity of this nature was originating from your Linode, it is likely that your Linode has been compromised, and you'll want to take appropriate action.

We take the integrity of our network very seriously, and we appreciate your cooperation in investigating this activity. Please keep us updated via this ticket as you look into the issue.

As we cannot allow this nature of activity on our network, we ask that you update this ticket within 12 hours or we may need to power down your Linode to prevent further malicious activity.

If you have any questions or concerns, please let us know!

Jon.

It is possible your Linode was compromised. To determine if this is the case, you may want to audit the following log files and writable directories: 

- "/var/log/auth.log": You may have fallen victim to a SSH brute force attack.
- "lastlog": You can cross reference recent account logins with the brute force attempts in "/var/log/auth.log".
- /tmp: This directory is often used by attackers to store their files in.
- Web server logs: You may have installed a vulnerable script or web application. 
- "ps aux": Check for foreign processes.

If you do find that your system has been compromised, I'd strongly suggest completely redeploying your Linode as it is often very difficult to determine the full scope of an attack. If downtime is a concern to you, the following guide will assist you with safely recovering your data and redeploying your Linode with minimal downtime: 

- http://library.linode.com/troubleshooting/compromise-recovery 

If you do not want to spin up a new Linode as advised in the above guide, you can simply deploy a new distribution and mount your old disk images within it to copy your data over. You will first need to free up some space to deploy the new distribution. You can do this by resizing your existing disk image: 

- http://library.linode.com/linode-platform/manager/managing-disk-images#resize_a_disk_image

You can then deploy your new distribution and attach your old disk images to it: 

- Select the "Deploy a Linux Distribution" link on your dashboard. 
- Choose your desired distribution, fill in the the required values, and then click on "Deploy". 
- Return to the dashboard and select your new configuration profile. 
- Attach your old disk image to the drive setup of your new deployment. 
- Boot into your new deployment and mount your old disk image. 
- Copy your data. 

Once you have redeployed your Linode, I'd also recommend implementing some of the security measures advised in our "Security Basics" guide to minimize the risks of a security breach in the future: 

- http://library.linode.com/using-linux/security-basics 

I hope that this information is helpful. Please don't hesitate to follow up with us if you need any further clarification.

Regards,
Will

转载请注明：2014年1月29日Kloxo漏洞：Default目录上传并对外进行DDOS攻击 - 编程知识库