Cyberpanel is great panel. if you ask to alternatif panel, It’s worth noting that all control panels, even popular ones like WHM cPanel, have experienced security vulnerabilities over time you can google it. CyberPanel, like others, is continuously updated to address potential security issues.
It’s essential for everyone to understand and implement a disaster and recovery plan to protect your data and maintain operational continuity in case of unexpected failures.
do you use cyberpanel? because if you had any data in cyberpanel then I think you won’t say that because you didn’t understand what the hacker is trying to do. He mentioned that he might sell data in dark net.
And whm has auto update, aa panel has auto update, other maximum panels has auto update.
Cyberpanel team knew that the issue might be a potential risk but they didn’t warned us to update cyberpanel and also I had one server with updated cyberpanel but it also got hacked.
So if you can help the community then do it, else you can research, see the situation of all the users, don’t just randomly post anything without knowing the situation of thousands of users.
And I believe cyberpanel is a great panel and that’s why thousands of users are using it but the team of cyberpanel is not worth the situation, happened.
Hello, a server of mine was affected by the attack, following your advice I removed the kinsing malware and then upgrading to the latest version helped it become stable enough again - I say stable enough because it didn’t affect the server’s functionality ever since.
For the last 10 days now I’ve been running into more and more affected files, apart from this infection list and it seems I also got the perfctl malware too.
So in case it helps someone else on the CyberPanel forum, I found help on how to remove that one here:
More detailed information on the malware’s actions here and potentially files affected:
Then in order to figure out if other files were infected too, I went ahead and compared files directory to directory plus many configurations, with two other CyberPanel servers that were not infected.
And after that things seem to be running stable again, though MailScanner still sees some suspicious processes in lfd and cfd, but haven’t found anything wrong with them yet.
I’ve run chrootkit and imunifyav for additional checks. They were really helpful in finding other infected files too.
Also listing directories with “ls -lat” in order to list recently updated files first helped too. I could instantly see what was changed after 28th of October this way.
Meanwhile I now see 2 more files that I don’t recognize…:
/usr/lib/exi that contains the server IPv4
and
/usr/lib/vei that contains this text: “cy2”
If anyone has a clue about these please let me know.
Now I am also preparing a migration plan for the infected server… it has a bunch of client sites on it including e-shops etc. so I can’t have this happening again… I’ll set up a cluster with enhance panel + OLS this time and move them there, with a better disaster strategy in place.
I have two more CyberPanel servers hosting ~30 client sites but I now feel like they’re an accident waiting to happen.
I don’t think I can ever trust CyberPanel with critical projects after this incident again… I may use it for non critical ones but this really was too much time and money I lost, plus it’s also a matter of credibility for my business as well. I think it is should be for CyberPanel too.
I hope I helped others in my shoes.
I’ve been using CyberPanel since 2020, so it’s been four years now, with over 20 VPS instances and more than 100 websites set up. I received information about the vulnerability not from CyberPanel, but from Vultr. The post I wrote included 100% of the information from Vultr’s notification.
That morning, I had to investigate and upgrade all servers myself, but unfortunately, three out of four had already been infected with malicious code by the time I could secure them.
So, is it wrong to have shared that post detailing the issue and explaining the steps I took to fix it? The goal was to inform others based on my own experience in a timely way and to raise awareness.
No one blaming you brother. No one blaming the attacker, No one blaming the blog publisher. No one blaming cyberpanel team.
I believe it was good that now we are serious about our data and privacy. And investing small amount in security also. Although I am not blaming cyberpanel for this. I have so many instances and data and websites with this everything works fabulous.
The main thing, I strong believe is the way of operation they did. CP Team should broadcast it to warn users to update cyberpanel asap. And add a changelog like Minor Bug Fixed.
I couldn’t understand their calculations? What they thought and what they executed. They even skipped posting in FB Groups or Twitter or their Blog. They are saying just one thing that “They want everyone should update their cyberpanel silently!” is there any sense?
It’s like selling a drill to users when their goal is to have a hole in the wall. From the consumer’s perspective, acceptance and notification is necessary because no one blames the team
Likewise. They wrote a letter and their team actually helped but the execution is literally worst of their thing.
This was posted far too late, and since they are spamming their blog with posts hourly, there is no way to see such a important post!
Yes! Buddy this is the main thing and that’s why blaming their execution.
It is getting interessting within the EU.
The software providers are now liable if there are problems.
@usmannasir @shoaibkk