Abokan aiki waɗanda ke amfani da nau'ikan Exim 4.87...4.91 akan sabar saƙon su - suna ɗaukaka cikin gaggawa zuwa sigar 4.92, tun da farko sun dakatar da Exim kanta don guje wa hacking ta hanyar CVE-2019-10149.
Sabbin sabar miliyan da yawa a duniya suna da yuwuwar rauni, ana ƙididdige raunin a matsayin mai mahimmanci (CVSS 3.0 base score = 9.8/10). Mahara suna iya gudanar da umarni na sabani akan sabar ku, a yawancin lokuta daga tushen.
Da fatan za a tabbatar cewa kuna amfani da ƙayyadaddun sigar (4.92) ko wanda aka riga aka yi masa faci.
Ko facin data kasance, duba zaren
Sabunta don 6 ta tsakiyaku: cm.
UPD: An shafi Ubuntu 18.04 da 18.10, an fitar musu da sabuntawa. Siffofin 16.04 da 19.04 ba su shafa ba sai an shigar da zaɓuɓɓukan al'ada akan su. Karin bayani
Yanzu matsalar da aka bayyana akwai ana amfani da ita sosai (ta hanyar bot, mai yiwuwa), Na lura da kamuwa da cuta akan wasu sabar (akan gudana akan 4.91).
Kara karantawa ya dace kawai ga waɗanda suka rigaya “samu” - kuna buƙatar ko dai jigilar komai zuwa VPS mai tsabta tare da sabbin software, ko neman mafita. Za mu gwada? Rubuta idan kowa zai iya shawo kan wannan malware.
Idan ku, kasancewa mai amfani da Exim kuma kuna karanta wannan, har yanzu ba ku sabunta ba (baku tabbatar da cewa akwai 4.92 ko sigar faci ba), da fatan za a tsaya ku gudu don ɗaukakawa.
Ga wadanda suka riga sun isa can, bari mu ci gaba ...
UPS:
Ana iya samun nau'ikan malware iri-iri. Ta hanyar ƙaddamar da maganin don abin da ba daidai ba da share layi, mai amfani ba zai warke ba kuma mai yiwuwa ba zai san abin da ya kamata a yi masa ba.
Ana iya lura da kamuwa da cuta kamar haka: [kthrotlds] yana loda injin sarrafawa; akan VDS mai rauni yana da 100%, akan sabobin yana da rauni amma ana iya gani.
Bayan kamuwa da cuta, malware yana share shigarwar cron, yin rajista kawai a can don gudanar da kowane minti 4, yayin da yake sanya fayil ɗin crontab ya zama mai canzawa. Crontab-e ba zai iya ajiye canje-canje ba, yana ba da kuskure.
Ana iya cire mara canzawa, misali, kamar wannan, sannan a share layin umarni (1.5kb):
chattr -i /var/spool/cron/root
crontab -e
Na gaba, a cikin editan crontab (vim), share layin kuma ajiye:dd
:wq
Duk da haka, wasu matakai masu aiki suna sake rubutawa, ina gano shi.
A lokaci guda, akwai gungun wgets masu aiki (ko curls) suna rataye akan adiresoshin daga rubutun mai sakawa (duba ƙasa), Ina buga su kamar haka a yanzu, amma sun sake farawa:
ps aux | grep wge[t]
ps aux | grep cur[l]
echo "Stopping..."
kill -9 `ps aux | grep wge[t] | awk '{print $2}'`
kill -9 `ps aux | grep cur[l] | awk '{print $2}'`
Na sami rubutun mai sakawa na Trojan a nan (centos): /usr/local/bin/nptd...Bana tura shi don guje masa ba, amma idan wani ya kamu da cutar kuma ya fahimci rubutun harsashi, da fatan za a yi nazarinsa sosai.
Zan ƙara yayin da aka sabunta bayanai.
UPD 1: Share fayiloli (tare da farkon chattr -i) /etc/cron.d/root, /etc/crontab, rm -Rf /var/spool/cron/root bai taimaka ba, kuma bai dakatar da sabis ɗin ba crontab gaba ɗaya don yanzu yaga shi (sake suna fayil ɗin bin).
UPD 2: Mai sakawa Trojan wani lokacin ma yana kwance a wasu wurare, yana neman ta girman taimako:
sami / -size 19825c
UPD 3/XNUMX/XNUMX: Tsanaki Baya ga kashe selinux, Trojan kuma yana ƙara nasa SSH key a cikin ${sshdir}/maɓallai masu izini! Kuma yana kunna filayen masu zuwa a /etc/ssh/sshd_config, idan ba a riga an saita su zuwa YES ba:
PermitRootLogin eh
Tabbatar da RSAA eh
Bayani na PubkeyAe
amsa UsePAM eh
Tabbatar da kalmar wucewa eh
UPD 4: Don taƙaitawa a yanzu: kashe Exim, cron (tare da tushen), da sauri cire maɓallin Trojan daga ssh kuma gyara tsarin sshd, sake kunna sshd! Kuma har yanzu ba a bayyana cewa wannan zai taimaka ba, amma ba tare da shi ba akwai matsala.
Na matsar da mahimman bayanai daga sharhi game da faci / sabuntawa zuwa farkon bayanin kula, don masu karatu su fara da shi.
UPD 5/XNUMX/XNUMX:
UPD 6/XNUMX/XNUMX:
Duk wanda ya yi (ko ya samo) ingantaccen bayani, don Allah a rubuta, za ku taimaki mutane da yawa.
UPD 7/XNUMX/XNUMX:
Idan baku rigaya faɗi cewa cutar ta tashi ba godiya ga wasiƙar da ba a aika ba a cikin Exim, lokacin da kuka sake ƙoƙarin aika wasiƙar, an dawo da ita, duba cikin /var/spool/exim4
Kuna iya share duk layin Exim kamar haka:
exipick -i | xargs exim -Mrm
Duban adadin shigarwar cikin jerin gwano:
exim -bpc
UPD 8: Sake
UPD 9: Yayi kama aiki, godiya
Babban abu shine kar a manta cewa uwar garken an riga an daidaita shi kuma maharan sun iya shuka wasu abubuwa mara kyau (ba a jera su a cikin dropper ba).
Saboda haka, yana da kyau a matsa zuwa uwar garken da aka shigar gaba ɗaya (vds), ko aƙalla ci gaba da saka idanu akan batun - idan akwai sabon abu, rubuta a cikin sharhi a nan, saboda a fili ba kowa bane zai matsa zuwa sabon shigarwa...
UPD 10: Na gode kuma
UPD 11: Daga
(bayan amfani da ɗaya ko wata hanyar yaƙar wannan malware)
Tabbas kuna buƙatar sake kunnawa - malware yana zaune a wani wuri a cikin buɗaɗɗen matakai kuma, bisa ga haka, a cikin ƙwaƙwalwar ajiya, kuma yana rubuta kansa sabo don cron kowane sakan 30.
UPD 12/XNUMX/XNUMX:
UPD 13/XNUMX/XNUMX:
UPD 14: tabbatar wa kanmu cewa masu wayo ba sa gudu daga tushe - wani abu guda
Ko da ba ya aiki daga tushen, hacking yana faruwa ... Ina da debian jessie UPD: shimfiɗa a kan OrangePi na, Exim yana gudana daga Debian-exim kuma har yanzu hacking ya faru, rasa rawanin, da dai sauransu.
UPD 15: Lokacin matsawa zuwa uwar garken mai tsabta daga wanda aka daidaita, kar a manta game da tsabta,
Lokacin canja wurin bayanai, kula ba kawai ga fayilolin aiwatarwa ko daidaitawa ba, har ma ga duk wani abu da zai iya ƙunsar mugayen umarni (misali, a cikin MySQL wannan na iya zama CREATE TRIGER ko Ƙirƙiri EVENT). Hakanan, kar a manta game da .html, .js, .php, .py da sauran fayilolin jama'a (mahimmanci waɗannan fayilolin, kamar sauran bayanai, yakamata a dawo dasu daga gida ko wasu amintattun ma'ajiya).
UPD 16/XNUMX/XNUMX:
Don haka kowa da kowa bayan sabuntawa ya kamata ku tabbatar cewa kuna amfani da sabon sigar!
exim --version
Mun warware takamaiman halin da suke ciki tare.
Sabar ta yi amfani da DirectAdmin da tsohuwar fakitin da_exim (tsohuwar sigar, ba tare da lahani ba).
A lokaci guda, tare da taimakon manajan fakitin custombuild na DirectAdmin, a zahiri, an shigar da sabon sigar Exim, wanda ya riga ya kasance mai rauni.
A cikin wannan yanayin musamman, sabuntawa ta hanyar custombuild shima ya taimaka.
Kar a manta da yin ajiyar kuɗi kafin irin waɗannan gwaje-gwajen, kuma ku tabbata cewa kafin / bayan sabuntawa duk hanyoyin Exim na tsohuwar sigar
source: www.habr.com