Beware Kloxo Exploit!
| |From the very beginning I never use Kloxo but that doesn’t mean I hate it. That’s simply because I was interested with something else than that phenomenal free hosting control panel that has been getting so much attention and fanatic users. It’s a nice control panel software can be installed even on a low end VPS and it’s also resource-friendly compared to its major competitor, WHM/cPanel.
Just recently I got few emails come in from several providers telling a big exclamation about Kloxo exploit and a notification that all clients who installed Kloxo have to remove it immediately due a recently zero day discovered exploit with no workaround currently.
Quoted from WeLoveServer:
Since this morning, we have been combating multiple DDoS attacks across all of our locations. Upon further investigation, this is stemming from compromised VPS containers that utilize the Kloxo control panel software.
We have been made aware of an active zero day exploit in Kloxo with no workaround available. Essentially the exploit spawns a large number of httpd processes that allows the affected system to participate in a DDoS.
We kindly request your immediate attention into this matter, and ask that if you are running Kloxo that you disable it immediately.
Due to the fact that Kloxo developers are inactive and appears to be poorly written, along with the severity of this zero day exploit, we are prohibiting Kloxo to be ran on our VPS servers moving forward in order to protect our network and our users. We believe this is the best resolution, as Kloxo is not a secure software that should be used in any production environment. If your VPS is currently running Kloxo, please wipe your Kloxo install immediately.
Quoted from Iniz:
We have recently become aware of a serious security risk in the Kloxo control panel, we removed the panel from our template list several months due to it being outdated and just recently as in the last few minutes we have seen several VPSs being infected by a vulnerability in Kloxo.
In effect immediately, we ask all clients to reinstall their VPS if they are using Kloxo Control Panel otherwise your VPS will face suspension as it causes 100+ load and high outgoing PPS from what we have discovered.
Far better alternatives exist which are available for free as well which are updated regurarly and a lot more secure, we suggest you move to them if you depend on a hosting control panel immediately.
Kloxo Alternatives:
If you still require a control panel, below is a list of alternative free control panels that you can consider installing:
- VestaCP (How to install)
- Webmin/Virtualmin
- iMSCP
- Ajenti
- OpenPanel
- ISPConfig
- zPanel CP (How to Install)
Have some thought? Do not hesitate to share it in comment section below..
Remember, It’s not include Kloxo-MR (Kloxo fork by Mustafa Ramadhan; see http://forum.mratwork.com).
thanks for your confirmation 🙂
hey which one is best /better?
VestaCP or zPanel CP or ISPConfig ?
I tried webmin/virtualmin but can’t figure out how to manage it.
Sparsh, i heard VestaCP thanks to Sawiyati and like it so much. I can recommend it.
That depends on personal level 🙂 zPanel is really easy and perfectly suits newbie users.
For me, Vesta CP is better. My vps was suspended by Iniz because I/O abuse due to zPanel. Also, VestaCP supports Nginx frontend proxy by default
hi there, is it possible to setup vestcp with all apache … no nginx?
I believe it can. Just uncheck the Enable Nginx option when adding new website
hello sir , thanks for sharing, I have a question
I want a free control panel with support nginx and install wordpress and still secure.
thankyou
Webmin, Vesta CP or Webuzo
Kloxo is at version 6.1.19 and fixed a lot security bugs. I am a happy Kloxo user!
what happen when an biased info posted. panic uncertainty spreads widely.
Sheep never use brain.
If a program coded 1+1=3 by mistake, why can’t the contributors fix the same when the code is also released.
Paid reviewer will review as you want if you paid enough.
This type of blog will be there always when someone want to sell their **** even it can obtain free.
I am also the user of Kloxo never faced any problem in my 3 vps running more than 2 year without any kind of this issue.
I am not paid by anyone, since no one out there to pay for Kloxo.
Map default domain to a dummy domain hosted on the same server and do chmod 0 for that dir
block all ports other than the essentials using iptables.
I bet you wont get into this issue.
There are SEVERAL incorrect statements made here.
1) A DDoS attack has absolutely NOTHING to do with what software is running on the server. It is simply a packet flood from external servers.
2) VestaCP has so many security holes, exploits and other problems, it’s not worth ranking as #1, let alone 1000. As for the rest of the ” free ” panels listed, almost every single one of them are full of security holes, be it cross site database injection vulnerabilities, to pathetically unsafe practices like non-jailed user shell access, and unsecured ports.
You should actually do some homework before going off the deep end and calling into question the credibility of an entire project.
3) Malware infiltrations are more than likely the culprit of the system administrator who altered settings, such as openbasedir, suexec, exec etc in their php, changed firewall rules, or introduced the opening themselves, or gave escalated privileges to one of their users.
And finally. Kloxo, and HyperVM are very well written, and are under constant development. The statement made that Kloxo is ” inactive ” isn’t even remotely close to true.
@Markuz Zericci
You are right. Kloxo is on the run with many developpers.
Yes.
Someone want to sell some crap.
They usually try to create image like this.
I am using kloxo for more that 3 years with zero issue on my multiple VPS.
Kloxo + good firewall settings = no worry.