Question about "Kloxo installations compromised"

[delllaptop]

Hi
I want to swith from "kloxo 6.1.12" to "kloxo MR"
But I want to know
Does "kloxo MR" have the below problem?
"http://www.webhostingtalk.com/showthread.php?t=1344003"

Thanks

[chrisf]

Mustafa, is webcommand.php vulnerable to this exploit?

This is very serious, concerned.  This happened today.

[MRatWork]

One reason why Kloxo-MR released is fix security bug (like webcommand.php exploit).

[zidit]

Can I still using kloxo-api with kloxo-MR?

[MRatWork]

No problem with API in Kloxo-MR.

[MRatWork]

Listing of patch/fix/modified related to security issues (mostly from Kloxo Official):

- fix possible sql-injection on login and API
- fix switch 'safe' and 'unsafe' mode)
- disable/remove '/usr/bin/lxsuexec' and '/usr/sbin/lxrestart'
- update suphp config (possible security issue)
- fix lxguard for detect ftp login
- change lxphp+lxlighttpd to php52s+hiawatha
- fix security bug for php-fpm (add open_basedir)

[zidit]

I am the one who affect by kloxo 6.1.12 compromised. Now I have new vps install fresh kloxo-MR. I need to migrate all data (client/file/db etc.) to new kloxo-MR. I just check folder structure in /home, there are something different. So I'm not sure if I rsync all /home to new one is working? Do you have some instruction to migrate data from the old kloxo to kloxo-MR?

Thank

[MRatWork]

If different VPS, Use backup from Kloxo panel and then restore in Kloxo-MR panel (read warning in https://github.com/mustafaramadhan/kloxo/blob/dev/how-to-install.txt).

If using the same VPS just follow https://github.com/mustafaramadhan/kloxo/blob/dev/how-to-install.txt step B.2, login to panel and 'switch program' (especially web and dns) and 'webserver config' (especially php-branch and php-type).

[bluearrow]

Iniz hosting service asked everyone to move from Kloxo to another panel and I wonder if they counts Kloxo-MR as Kloxo too.

Is there anything we must do from those patch/fix/modified listed ? I have do running vps with Kloxo-MR and I haven't had a single problem month. I hate to mess anything.

[MRatWork]

Iniz hosting service asked everyone to move from Kloxo to another panel and I wonder if they counts Kloxo-MR as Kloxo too.

Is there anything we must do from those patch/fix/modified listed ? I have do running vps with Kloxo-MR and I haven't had a single problem month. I hate to mess anything.

Try changing Kloxo-MR port from 7777/7778 to others (let say 8777/8778). Possible with this trick, port scanning to 7777/7778 will fail.

[zidit]

Iniz hosting service asked everyone to move from Kloxo to another panel and I wonder if they counts Kloxo-MR as Kloxo too.

Is there anything we must do from those patch/fix/modified listed ? I have do running vps with Kloxo-MR and I haven't had a single problem month. I hate to mess anything.

Try changing Kloxo-MR port from 7777/7778 to others (let say 8777/8778). Possible with this trick, port scanning to 7777/7778 will fail.

Where can I change this?

[MRatWork]

Find out 'Port Config'.

[bluearrow]

Where can I change this?

Goto Kloxo admin pannel and search for Port Config


Port changing suggest is great. That's one way a hacker would find a Kloxo hosted server. I think every small thing like that can help. ))

[cmdman]

any help

 i got  mail from my hoster to turn off kloxo any help please i have 5 vps and 1 dedi server

[MRatWork]

@cmdman,

All Kloxo security issue already fixed in Kloxo-MR!. Ask to your provider for 'how about Kloxo-MR'.

Some VPS providers already approve where 'Kloxo-MR is fine'.