Massive PSAUX ransomware attack targets 22,000 CyberPanel instances

imno007

imno007

Well-known member
Maybe old news to some, but unfortunately I only heard about it after my server was knocked offline - six hours ago and counting. If you're using CyberPanel and haven't updated to 2.3.8+, and are lucky enough not to have been impacted by this yet, get busy.

www.bleepingcomputer.com

Massive PSAUX ransomware attack targets 22,000 CyberPanel instances

Over 22,000 CyberPanel instances exposed online to a critical remote code execution (RCE) vulnerability were mass-targeted in a PSAUX ransomware attack that took almost all instances offline.
www.bleepingcomputer.com www.bleepingcomputer.com
 
So glad i'm with a really good host that has a CPanel and protection from this stuff.

Sure people can laugh if they wish to but if they're having issues they may as well jump on to Namecheap and be done with it.
 
I wonder if this could've been avoidable with a firewall blocking port 8443's traffic from anyone other than you.

I have it set to block my control panel, SSH, FTP, and MySQL, ... as those should only be accessible to me (I don't need to connect to MySQL from other hosts or SSH, but can easily disable the firewall in 1 click). Though, I wouldn't set this rule on the server because it would be quite difficult to change (maybe impossible unless you left SSH open to reconfigure it via CLI) if I blocked that way and got assigned a new IP. I use Vultr's firewall to block traffic at the first level so that I can always login and disable that firewall/rule. Very simple to do.

Different rules on the server, but a "harder" to manage firewall.
 
Slavik said:
cPanel has had its fair share of exploits over the years.

And even the largest companies fall foul of threat actors.

Which is why it is so important to ensure a solid, robust backup system is in place.
Click to expand...
Funny, I've never encountered any issues with them since being with them.

I've had others that have been far worse.

Namecheap > cloudaccess.net by the length of Flemington Race course.
 
frm said:
I wonder if this could've been avoidable with a firewall blocking port 8443's traffic from anyone other than you.

I have it set to block my control panel, SSH, FTP, and MySQL, ... as those should only be accessible to me (I don't need to connect to MySQL from other hosts or SSH, but can easily disable the firewall in 1 click). Though, I wouldn't set this rule on the server because it would be quite difficult to change (maybe impossible unless you left SSH open to reconfigure it via CLI) if I blocked that way and got assigned a new IP. I use Vultr's firewall to block traffic at the first level so that I can always login and disable that firewall/rule. Very simple to do.

Different rules on the server, but a "harder" to manage firewall.
Click to expand...
You go too far with everything.
 
Suzanne O said:
You go too far with everything.
Click to expand...
Maybe you should meet me halfway and at least use 1 layer of protection so your site won't be taken offline in the future?
MentaL said:
It is common practice to restrict things to a VPN/Range of choice in these regards.
Click to expand...
I feel good doing it with Vultr's Firewall to just my static IP address because it's a solid password with 2FA. I can log in from anywhere to disable that rule to connect to the server if I need to from elsewhere, but that's not something that happens much, if at all, as things tend to be on the web-side of the house and not a server issue.

There's also a ufw rule on the server for an added layer of protection that opens it up to more connections, but still limits it to "me".
 
frm said:
A local (home or office) RAID 1 NAS would be the cherry on top for the ultimate redundancy.
Click to expand...
That's my ftp location. My home NAS.

qn1.webp
 
Back
Top Bottom