Hackers compromised accounts belonging to maintainers of the open-source ZPanel after a team member supporting the Web hosting control panel called a critic a "fucken little know it all." The ZPanel site went completely down after the incident and remained down at time of writing.

ZPanel support member Nigel Caldwell made the comment in the site's official forums and it was directed at a user named joepie91. Shortly beforehand, the Netherlands-based software developer—whose real name is Sven Slootweg—claimed that websites using ZPanel in combination with certain modules were vulnerable to exploits that allowed attackers to remotely execute malicious code. Slootweg directed his statement at Caldwell, aka PS2Guy, after the support member left a comment saying ZPanel "is more secure than panels that you pay good money for." Caldwell also said users have "got more chance of someone hacking your Operating System than the control panel that sits on it."

In his response, Slootweg claimed there was an "arbitrary code execution and root escalation vulnerability in the current version of ZPanel." To support this, Slootweg provided an example line of code he said could be inserted into a main ZPanel template to trigger the vulnerability. Last month, Slootweg disclosed a ZPanel vulnerability here. Two weeks ago, he stepped up his criticism after claiming the vulnerability had gone unfixed. "I find it shameful that I even have to post here to point this out, to prevent someone from putting themselves at risk," Slootweg wrote in Wednesday's post on the ZPanel forum. "This should be the responsibility of the ZPanel team."

Caldwell then replied: "I'll let the Developers reply to you, because I can't really be fucked answering a fucken little know it all like you. Instead of saying this doesn't work and this is vulnerable, how about telling the boss (Ballen who [owns] a coding company and has worked with code for countless years and while I'm at it, wrote ZPanel 10 from scratch, how to fix it???????????????????????)"

In the hours that followed, forum accounts belonging to both Caldwell and Tom Gates, who is listed as head of ZPanel support, were found to be posting spoofed messages. "Hello," one fraudulent message posted from Caldwell's account read. "Recently we've realized that we cannot produce any secure code and have decided to shut down the project. Goodbye."

Bobby Allen, ZPanel's lead developer and the "Ballen" Caldwell had referred to earlier, confirmed to Ars that the forum accounts for two of the project's staff members were compromised. He said he took down the website shortly afterward. In an e-mail Allen wrote:

"It would appear that the attacker(s) have managed to get access through a member of our team's account (likely they found a password by hacking into their personal e-mail account or something along those line which gave them access to our forums but NOT our servers... the servers have been shutdown as a precaution)."

The forum account compromises came around the same time someone posted a screenshot that suggested someone's site had been hacked. It appeared to show someone logged in as root on a machine called "dexter," copying an archive of ZPanel files. There's also a list of passwords that purportedly belong to Allen, Gates, and other ZPanel staff members. When asked if the link contained real credentials, Allen said: "I do not know any of those passwords and my personal password (although my e-mail address is on the list) is not there! I would assume this is a fake!"

Allen went on to claim that the latest "stock" version of ZPanel is immune to the attacks Slootweg disclosed. "Only older versions of the control panel application are vulnerable to these attacks WHERE the user has installed a third-party module of which then enables uploads of custom themes of which can then lead to exploits," he wrote. "By default ZPanel does not allow the uploading of custom 'reseller' themes."

Without independent testing, there's no way to confirm if ZPanel is vulnerable to the alleged exploits Slootweg identified. What is clear, however, is the ZPanel maintainers have a lot to learn about security, not to mention better communication practices with users and critics.

"I don't know.... maybe I'm wrong in all this," Allen told Ars. "I'm a Web developer not a security expert like yourself!"

Update:

After this article was published, ZPanel developer Kevin Andrews e-mailed Ars to say the server named dexter didn't belong to the open-source project and wasn't used to host its website or forums.

"I think this server belongs to tgates who is a staff member," Andrews wrote, referring to Tom Gates. "On the server he hosted a ZPanelCP Module Directory Application for users of ZPanel to search modules and download them. His application had a SQL Injection vulnerability which [the hackers] exploited."

He said ZPanel developers are aware of the vulnerability Slootweg disclosed.

"Basically if you as the ZPanel Administrator install a template which has malicious contained it could do some very nasty stuff to your server," he explained. "By default resellers and normal users of a ZPanel CAN'T install templates. So the only way your server could be compromised using this vulnerability is by installing a template which has nasty code added by the maker."