Server fully compromised via tampercore kernel module exploit chain
Server Details
IP:
aaPanel version: [insert your version]
OS: Ubuntu 22.04 LTS, kernel 6.8.0-88-generic
Paid Lifetime Pro license (Order # attached)
Timeline & Observed Symptoms
Initial breach: WordPress vulnerability on site (likely outdated plugin).
Overnight disk usage jumped from 56 % → 78 % (hundreds of GB consumed).
Multiple sites suddenly began throwing 502 Bad Gateway errors even though they were reachable the day before.
aaPanel began flooding logs with BaoTa Tamper-Drive Module messages and kernel panics.
Root SSH login disabled itself (hardening was enabled after the breach).
Repeated kernel oops / panics with the following signature (excerpt from /var/log/syslog, Dec 5 2025):
textkernel: detected buffer overflow in __fortify_strlen
kernel: tamper_write_log+0x130/0x150 [tampercore]
kernel: hook_mkdir+0x16b/0x190 [tampercore]
kernel: CPU: X PID: XXXXX Comm: php-fpm Tainted: G D OE
Root Cause – Confirmed
The attacker used a known exploit chain that weaponizes aaPanel’s own tampercore.ko kernel module.
The attacker gains initial code execution via a vulnerable WordPress plugin (file-upload → webshell).
From userland they trigger syscalls (mkdir, open, etc.) that are hooked by tampercore.
The current tampercore module contains a buffer-overflow vulnerability in its logging path that allows ring-0 code execution.
Once in kernel space, the attacker has unrestricted root privileges and can modify any file, disable SSH, inject persistent hooks, etc.
Every subsequent syscall they make re-triggers the vulnerable logging path → kernel panic → massive crash dumps → rapid disk exhaustion.
This is not a misconfiguration. This is a publicly exploited vulnerability in tampercore itself that has been mass-used throughout 2025 on aaPanel installations.
Current State
CPU usage normal.
Disk still 74 % full from crash dumps, attacker temp files, and tampercore logs.
Several sites have been deleted or are returning 502 (attacker likely overwrote Nginx configs or PHP-FPM pools).
All important databases and uploads have been exported locally.
Server remains unstable and will eventually fill the disk completely or kernel-panic into an unrecoverable state.
Requested Assistance
Official, safe procedure to unload or permanently disable the tampercore kernel module.
Guidance or patch that closes the buffer-overflow vector in tamper_write_log / hook_mkdir.
Any emergency recovery steps for servers already compromised through this vector.
Thank you for your urgent help.
