Abokan aiki waɗanda ke amfani da nau'ikan Exim 4.87...4.91 akan sabar saƙon su - suna ɗaukaka cikin gaggawa zuwa sigar 4.92, tun da farko sun dakatar da Exim kanta don guje wa hacking ta hanyar CVE-2019-10149.
Sabbin sabar miliyan da yawa a duniya suna da yuwuwar rauni, ana ƙididdige raunin a matsayin mai mahimmanci (CVSS 3.0 base score = 9.8/10). Mahara suna iya gudanar da umarni na sabani akan sabar ku, a yawancin lokuta daga tushen.
Da fatan za a tabbatar cewa kuna amfani da ƙayyadaddun sigar (4.92) ko wanda aka riga aka yi masa faci.
Ko facin data kasance, duba zaren .
Sabunta don 6 ta tsakiyaku: cm. - don centos 7 shima yana aiki, idan bai iso kai tsaye daga epel ba tukuna.
UPD: An shafi Ubuntu 18.04 da 18.10, an fitar musu da sabuntawa. Siffofin 16.04 da 19.04 ba su shafa ba sai an shigar da zaɓuɓɓukan al'ada akan su. Karin bayani .
Yanzu matsalar da aka bayyana akwai ana amfani da ita sosai (ta hanyar bot, mai yiwuwa), Na lura da kamuwa da cuta akan wasu sabar (akan gudana akan 4.91).
Kara karantawa ya dace kawai ga waɗanda suka rigaya “samu” - kuna buƙatar ko dai jigilar komai zuwa VPS mai tsabta tare da sabbin software, ko neman mafita. Za mu gwada? Rubuta idan kowa zai iya shawo kan wannan malware.
Idan ku, kasancewa mai amfani da Exim kuma kuna karanta wannan, har yanzu ba ku sabunta ba (baku tabbatar da cewa akwai 4.92 ko sigar faci ba), da fatan za a tsaya ku gudu don ɗaukakawa.
Ga wadanda suka riga sun isa can, bari mu ci gaba ...
UPS: kuma yana bada shawara mai kyau:
Ana iya samun nau'ikan malware iri-iri. Ta hanyar ƙaddamar da maganin don abin da ba daidai ba da share layi, mai amfani ba zai warke ba kuma mai yiwuwa ba zai san abin da ya kamata a yi masa ba.
Ana iya lura da kamuwa da cuta kamar haka: [kthrotlds] yana loda injin sarrafawa; akan VDS mai rauni yana da 100%, akan sabobin yana da rauni amma ana iya gani.
Bayan kamuwa da cuta, malware yana share shigarwar cron, yin rajista kawai a can don gudanar da kowane minti 4, yayin da yake sanya fayil ɗin crontab ya zama mai canzawa. Crontab-e ba zai iya ajiye canje-canje ba, yana ba da kuskure.
Ana iya cire mara canzawa, misali, kamar wannan, sannan a share layin umarni (1.5kb):
chattr -i /var/spool/cron/root
crontab -e
Na gaba, a cikin editan crontab (vim), share layin kuma ajiye:dd
:wq
Duk da haka, wasu matakai masu aiki suna sake rubutawa, ina gano shi.
A lokaci guda, akwai gungun wgets masu aiki (ko curls) suna rataye akan adiresoshin daga rubutun mai sakawa (duba ƙasa), Ina buga su kamar haka a yanzu, amma sun sake farawa:
ps aux | grep wge[t]
ps aux | grep cur[l]
echo "Stopping..."
kill -9 `ps aux | grep wge[t] | awk '{print $2}'`
kill -9 `ps aux | grep cur[l] | awk '{print $2}'`
Na sami rubutun mai sakawa na Trojan a nan (centos): /usr/local/bin/nptd...Bana tura shi don guje masa ba, amma idan wani ya kamu da cutar kuma ya fahimci rubutun harsashi, da fatan za a yi nazarinsa sosai.
Zan ƙara yayin da aka sabunta bayanai.
UPD 1: Share fayiloli (tare da farkon chattr -i) /etc/cron.d/root, /etc/crontab, rm -Rf /var/spool/cron/root bai taimaka ba, kuma bai dakatar da sabis ɗin ba crontab gaba ɗaya don yanzu yaga shi (sake suna fayil ɗin bin).
UPD 2: Mai sakawa Trojan wani lokacin ma yana kwance a wasu wurare, yana neman ta girman taimako:
sami / -size 19825c
UPD 3/XNUMX/XNUMX: Tsanaki Baya ga kashe selinux, Trojan kuma yana ƙara nasa SSH key a cikin ${sshdir}/maɓallai masu izini! Kuma yana kunna filayen masu zuwa a /etc/ssh/sshd_config, idan ba a riga an saita su zuwa YES ba:
PermitRootLogin eh
Tabbatar da RSAA eh
Bayani na PubkeyAe
amsa UsePAM eh
Tabbatar da kalmar wucewa eh
UPD 4: Don taƙaitawa a yanzu: kashe Exim, cron (tare da tushen), da sauri cire maɓallin Trojan daga ssh kuma gyara tsarin sshd, sake kunna sshd! Kuma har yanzu ba a bayyana cewa wannan zai taimaka ba, amma ba tare da shi ba akwai matsala.
Na matsar da mahimman bayanai daga sharhi game da faci / sabuntawa zuwa farkon bayanin kula, don masu karatu su fara da shi.
UPD 5/XNUMX/XNUMX: cewa malware sun canza kalmomin shiga a cikin WordPress.
UPD 6/XNUMX/XNUMX: , mu gwada! Bayan sake kunnawa ko rufewa, da alama magani zai ɓace, amma a yanzu aƙalla shi ke nan.
Duk wanda ya yi (ko ya samo) ingantaccen bayani, don Allah a rubuta, za ku taimaki mutane da yawa.
UPD 7/XNUMX/XNUMX: ya rubuta:
Idan baku rigaya faɗi cewa cutar ta tashi ba godiya ga wasiƙar da ba a aika ba a cikin Exim, lokacin da kuka sake ƙoƙarin aika wasiƙar, an dawo da ita, duba cikin /var/spool/exim4
Kuna iya share duk layin Exim kamar haka:
exipick -i | xargs exim -Mrm
Duban adadin shigarwar cikin jerin gwano:
exim -bpc
UPD 8: Sake FirstVDS sun ba da nau'in rubutun jiyya, bari mu gwada shi!
UPD 9: Yayi kama aiki, godiya don rubutun!
Babban abu shine kar a manta cewa uwar garken an riga an daidaita shi kuma maharan sun iya shuka wasu abubuwa mara kyau (ba a jera su a cikin dropper ba).
Saboda haka, yana da kyau a matsa zuwa uwar garken da aka shigar gaba ɗaya (vds), ko aƙalla ci gaba da saka idanu akan batun - idan akwai sabon abu, rubuta a cikin sharhi a nan, saboda a fili ba kowa bane zai matsa zuwa sabon shigarwa...
UPD 10: Na gode kuma : yana tunatar da cewa ba kawai sabobin sun kamu da cutar ba, har ma Rasberi Pi, da kowane nau'in injunan kama-da-wane ... Don haka bayan adana sabobin, kar a manta da adana abubuwan bidiyo na bidiyo, robots, da sauransu.
UPD 11: Daga Muhimmiyar sanarwa ga masu warkarwa da hannu:
(bayan amfani da ɗaya ko wata hanyar yaƙar wannan malware)
Tabbas kuna buƙatar sake kunnawa - malware yana zaune a wani wuri a cikin buɗaɗɗen matakai kuma, bisa ga haka, a cikin ƙwaƙwalwar ajiya, kuma yana rubuta kansa sabo don cron kowane sakan 30.
UPD 12/XNUMX/XNUMX: Exim yana da wani (?) malware a cikin layin sa kuma yana ba ku shawara da ku fara nazarin takamaiman matsalarku kafin fara magani.
UPD 13/XNUMX/XNUMX: maimakon haka, matsawa zuwa tsarin tsabta, kuma canja wurin fayiloli a hankali, saboda An riga an sami malware ɗin a bainar jama'a kuma ana iya amfani da shi ta wasu, ƙananan hanyoyi da mafi haɗari.
UPD 14: tabbatar wa kanmu cewa masu wayo ba sa gudu daga tushe - wani abu guda :
Ko da ba ya aiki daga tushen, hacking yana faruwa ... Ina da debian jessie UPD: shimfiɗa a kan OrangePi na, Exim yana gudana daga Debian-exim kuma har yanzu hacking ya faru, rasa rawanin, da dai sauransu.
UPD 15: Lokacin matsawa zuwa uwar garken mai tsabta daga wanda aka daidaita, kar a manta game da tsabta, :
Lokacin canja wurin bayanai, kula ba kawai ga fayilolin aiwatarwa ko daidaitawa ba, har ma ga duk wani abu da zai iya ƙunsar mugayen umarni (misali, a cikin MySQL wannan na iya zama CREATE TRIGER ko Ƙirƙiri EVENT). Hakanan, kar a manta game da .html, .js, .php, .py da sauran fayilolin jama'a (mahimmanci waɗannan fayilolin, kamar sauran bayanai, yakamata a dawo dasu daga gida ko wasu amintattun ma'ajiya).
UPD 16/XNUMX/XNUMX: и : tsarin yana da nau'i ɗaya na Exim da aka sanya a cikin tashar jiragen ruwa, amma a gaskiya yana gudana wani.
Don haka kowa da kowa bayan sabuntawa ya kamata ku tabbatar cewa kuna amfani da sabon sigar!
exim --versionMun warware takamaiman halin da suke ciki tare.
Sabar ta yi amfani da DirectAdmin da tsohuwar fakitin da_exim (tsohuwar sigar, ba tare da lahani ba).
A lokaci guda, tare da taimakon manajan fakitin custombuild na DirectAdmin, a zahiri, an shigar da sabon sigar Exim, wanda ya riga ya kasance mai rauni.
A cikin wannan yanayin musamman, sabuntawa ta hanyar custombuild shima ya taimaka.
Kar a manta da yin ajiyar kuɗi kafin irin waɗannan gwaje-gwajen, kuma ku tabbata cewa kafin / bayan sabuntawa duk hanyoyin Exim na tsohuwar sigar kuma ba "manne" a cikin ƙwaƙwalwar ajiya ba.
source: www.habr.com