Critical Security Alert: Vulnerable CyberPanel Instance Detected on Your Network

gringofrijolero · October 29, 2024, 8:43pm

Same message ;(

gringofrijolero · October 29, 2024, 8:44pm

I think it’s possible, but it could take lots of effort. I am restoring from 10/22, and see how to protect it

Kais · October 29, 2024, 8:48pm

I have to restore from 1 month old snapshot

But I have a daily backup with synology backup for business

habe to manage to get all files back in place.

Does anyone have any idea when the attacks were launched?

hostbdfree · October 30, 2024, 5:24am

all file hacker encripted by .locked format. how restore it ? please help.

bcat95 · October 30, 2024, 6:08am

I have updated the first comments. If you have problems at any step, please reply here

bcat95 · October 30, 2024, 6:12am

After 24H I found no other problems

bcat95 · October 30, 2024, 6:16am

If the CPU is running above 100% you need to boot through the service provider’s control panel

bcat95 · October 30, 2024, 6:19am

If there is no solution I think you have to restore from backup and upgrade cyberpanel

shoaibkk · October 30, 2024, 6:35am

As many of you know, we resolved the issue a few days ago; however, some servers may still be experiencing problems. If you are encountering any issues, please contact our support team. If you have SSH access, please update first and then check for any remaining issues. Let us know if further assistance is needed—we have already resolved issues for many users, and our support team is actively working to assist you.

For support, reach us at: [email protected].

Please also review this blog post for additional details and a fix: Details and Fix of Recent Security Issue and Patch for CyberPanel.

besicbarca · October 30, 2024, 6:40am

I cant access cyberpanel. Is there any fix? Also dont have backups on Hetzner cloud. Did cyberpanel have any backup? Please help me to get access to cyberpanel.

KibbelKing · October 30, 2024, 7:05am

This is a RCE “remote code execution” vulnerability, it can install a miner, but also place and prepare encryptions scripts, which will start, if you only kill the miner!
With a RCE you can do everything you want!

0-click pre-auth root RCE

At first only a miner was installed, after I had killed the miner and removed the services, a other process triggered after I was idle for some time and started a bash3 process, which encrypted all files!

@DavidChriss looks like your server is already encrypted and therefore will not start anymore.
The Script encrypts everything even system files.
As soon as the server is then restarted, it won’t boot, since every file is encrypted.
Only a Backup can restore your files.

@skym4n have a look at

and

DavidChriss · October 30, 2024, 7:11am

As I checked yes I found my files are encrypted by .encrypt

And I think this might be the solution to my problem

gist.github.com

https://gist.github.com/gboddin/d78823245b518edd54bfc2301c5f8882

0-decrypt.sh

#!/bin/bash

######################################################################################
#                    LeakIX PSAUX CyberPanel Ransom campaign decrypter               #
#                                                                                    #
#                    You have been blessed by PSAUX                                  #
#                                                                                    #
#                    All your files can be decrypted.                                #
#                                                                                    #
#                                                                                    #

This file has been truncated. show original

actually.sh

#!/usr/bin/env bash

private="-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDFiVLFtwUUcizD
4gUkRJayJQFAW79ZojEE8YLLnfF5x5Z1A2hP/qT21LMOmvMz03gu9Jn3G+Iby8cx
4OtvUDuG0tx+Cbq2u2lJj+ZmL11mMMbbR9aTWZhGmdVY3T9X2dObJSV94F5Itd3s
SSf4A+Osb2Ea2Ci6BCK6mCXw7Qrwr4epWuwUiZ2JqfX3Iv5oLmwLOKF/nOM0XzIp
fyopK10C/Di5erPBIAV2SYQh7sZ0JKRH7biL+s9dPM2e+8Ckuvkqkb1O1lIpOh8j
8N/dxn/y9w53KGYsSOaN0ZHseBNCbIwW1s22q4iG/p5d+UG+kTRc8HqdmENw65Vv
S8ycNPnZAgMBAAECggEBAIRgjZ7AEuBrz0IKIqX2bQK/N8J4eZhI0A7fBmcL1npk

This file has been truncated. show original

ak47.py

import httpx
import sys
import time
from concurrent.futures import ThreadPoolExecutor, as_completed

def get_CSRF_token(client):
    try:
        resp = client.get("/")
        if resp.status_code == 200:
            return resp.cookies.get('csrftoken')

This file has been truncated. show original

There are more than three files. show original

But I cant find any guide how to use it… any guide @bcat95 ?

KibbelKing · October 30, 2024, 7:35am

Funny: The Blogpost mentions the following!

NOTE: We’re not sharing the exact location of the vulnerability to avoid exposing servers that still need updating.

NOTE: We’ll share the full details of the vulnerability.

It is already public since 27 Oct and you did know it since 23 Oct!

And it is already public as CVE-2024-51567, CVE-2024-51568 and CVE-2024-51378.

In every CVE there is the Link to the exploit, which was posted by DreyAnd.

Why are you lying in your Blogpost?!

DavidChriss · October 30, 2024, 7:37am

Few Days Ago = Yesterday

Lol

we resolved the issue a few days ago

usmannasir · October 30, 2024, 8:55am

This was fixed more then 1 week ago.

DavidChriss · October 30, 2024, 8:57am

How can I fix my issue I cant acess to SSH and when I use VNC I found files locked and Cant upgrade cyberpanel as it seems like no network connection to the server it like the virus locked system files too

DavidChriss · October 30, 2024, 9:04am

Most System file system are missing on my Side including /bin/bash network settings… creating them not helping… since is a lot of system files… what should I do now? Thanks

KibbelKing · October 30, 2024, 9:20am

Why were users not informed, and the vulnerability published on responsible disclosure?
Not to mention any communication of the RCE vulnerability?!

Only after a great deal of damage was done to many users did you consider it necessary to publish a reference to a non-existent blog post only on facebook.

The blog is paved with so many posts that such messages, if any, are completely lost.
When I searched for security, countless posts came up that had nothing at all to do with the current problem!
Only after the update of Oct 29, a post appears.

kostas123 · October 30, 2024, 9:40am

I do have the same problem. There is a decryptor script published

In my case it doesn’t work because the files are locked at this time.

Any update?

DavidChriss · October 30, 2024, 9:41am

I dont know suffering trying to restore it…

Waiting for anyone who know what to do to help us