IID server vulnerability warning: Pagoda panel is suspected to have a new high-risk vulnerability
- Author:NE
- Category:Industry News
- Release Time:2022-12-11
Dear customer:
Recently, we have learned from many sources that the mainstream Pagoda panel on the market has a high risk, and a large number of users have reported that the panel has been hacked and Be maliciously redirected to an illegal website. If you use this panel, you can check whether there are any traces or risks of intrusion. Pagoda Panel is a server control panel with more than 4 million installations. It is mainly convenient for operation and maintenance personnel to deploy the server environment and perform management. At present, there is a serious level of high-risk security vulnerability in the Pagoda panel. With this vulnerability, the attacker can directly have root privileges, which is limited by the high-privilege operation of the panel, and modify the various account passwords of the Pagoda+ The SSH account password is invalid.
Vulnerability Level:High Risk
Vulnerability risk: The intruder has root authority through this vulnerability, and is limited to run with high authority on the panel, modifying various account passwords of the pagoda + SSH account password All are invalid, intruders can modify nginx configuration files + database files + website root directory files
There may be a lot of logs on the site and the CPU is abnormally occupied. I don’t know the vulnerability point, so don’t click the clear log button at will
Affected version: Pagoda panel 7.9.6 and below and using nginx users (to be confirmed)
Suggestion for handling: The official suggestion is to directly connect to the SSH terminal to stop the BT panel command. This will stop using the web panel, and the server and web site will not be affected< /p>
It is reported that this vulnerability has not yet been confirmed by the Pagoda official. The Pagoda official is investigating. In order to prevent unexpected risks and high risk levels, it is strongly recommended to stop using the web according to the official recommendation. panel
Troubleshooting method: /www/server/nginx/sbin directory files
1. nginx 11.80 MB
2. nginxBak 4.55 MB[Trojan Horse]
3. nginx 4.51M [Trojan Horse]
Vulnerability characteristics:
1. Recently modified nginx 4.51 MB file
2. The log is cleared
3. There is an operation log of bb.tar.gz and it is almost the same as the time of recently modifying nginx 4.51 MB file
4. Check whether systemd-private-56d86f7d8382402517f3b5-jP37av (horse file) exists under /tmp/
File: nginx 4.51 MB
File: systemd-private-56d86f7d8382402517f3b5-jP37av
The two people who were hung up have compared the files. There is no way to reproduce it. Only one person has bb.tar.gz. This operation log is the same as the recently modified nginx 4.51 There is almost no difference in the MB file time. Other people's logs have been cleared
Temporary solution:
Switch the nginx version to see if the nginx file changes Delete /tmp/systemd-private-56d86f7d8382402517f3b5-jP37av Modify the panel username and password Close the panel bt stop (install plug-in: file monitoring monitoring/ www/server/nginx/sbin and /tmp directories)
Reminder: A large number of newly installed users have reported that there are Trojan horses. At present, there may be problems with the official BT source. It is recommended to suspend the installation. If you have any problems after checking, Please contact Pagoda official customer service
INTERNET DATA GLOBAL(IDGlobal)
INTERNET DATA LIMITED
December 11, 2022