Cov npoj yaig uas siv Exim versions 4.87...4.91 ntawm lawv cov xa ntawv xa ntawv - hloov kho sai sai rau version 4.92, yav dhau los tau tso tseg Exim nws tus kheej kom tsis txhob nyiag los ntawm CVE-2019-10149.
Ob peb lab servers thoob ntiaj teb muaj peev xwm ua rau muaj kev cuam tshuam, qhov tsis zoo yog ntsuas raws li qhov tseem ceeb (CVSS 3.0 tus qhab nia qis = 9.8/10). Attackers tuaj yeem khiav cov lus txib ntawm koj tus neeg rau zaub mov, hauv ntau qhov xwm txheej los ntawm lub hauv paus.
Thov nco ntsoov tias koj tab tom siv ib qho ruaj khov version (4.92) lossis ib qho uas twb tau kho lawm.
Los yog kho qhov uas twb muaj lawm, saib xov
Hloov tshiab rau centos 6cm: ua.
UPD: Ubuntu cuam tshuam 18.04 thiab 18.10, qhov hloov tshiab tau tso tawm rau lawv. Versions 16.04 thiab 19.04 tsis cuam tshuam tshwj tsis yog cov kev cai xaiv tau teeb tsa rau lawv. Paub meej ntxiv
Tam sim no qhov teeb meem tau piav qhia tias muaj kev siv zog ua haujlwm (los ntawm bot, suav tias yog), Kuv pom muaj tus kab mob ntawm qee lub servers (khiav ntawm 4.91).
Kev nyeem ntawv ntxiv tsuas yog cuam tshuam rau cov neeg uas twb "tau txais" - koj yuav tsum tau thauj txhua yam mus rau VPS huv nrog cov software tshiab, lossis nrhiav kev daws teeb meem. Peb puas yuav sim? Sau yog tias leej twg tuaj yeem kov yeej qhov malware no.
Yog tias koj yog tus neeg siv Exim thiab nyeem qhov no, tseem tsis tau hloov kho (tsis tau paub tseeb tias 4.92 lossis patched version muaj), thov nres thiab khiav mus hloov kho.
Rau cov uas twb muaj lawm, cia peb mus ntxiv ...
Hloov tshiab:
Yuav muaj ntau yam malware. Los ntawm kev tso cov tshuaj rau qhov tsis ncaj ncees lawm thiab tshem tawm cov kab, tus neeg siv yuav tsis kho thiab yuav tsis paub tias nws yuav tsum tau kho li cas.
Tus kab mob no pom zoo li no: [kthrotlds] loads lub processor; ntawm VDS tsis muaj zog nws yog 100%, ntawm cov servers nws tsis muaj zog tab sis pom tau.
Tom qab kis tus kab mob, tus malware tshem tawm cron nkag, sau npe tsuas yog nws tus kheej nyob ntawd kom khiav txhua 4 feeb, thaum ua cov ntaub ntawv crontab hloov tsis tau. Crontab -e tsis tuaj yeem khaws cov kev hloov pauv, muab qhov yuam kev.
Immutable tuaj yeem raug tshem tawm, piv txwv li, zoo li qhov no, thiab tom qab ntawd tshem tawm cov kab hais kom ua (1.5kb):
chattr -i /var/spool/cron/root
crontab -e
Tom ntej no, hauv crontab editor (vim), rho tawm kab thiab txuag:dd
:wq
Txawm li cas los xij, qee cov txheej txheem nquag tau sau dua, Kuv tab tom xam nws tawm.
Nyob rau tib lub sijhawm, muaj ntau pawg ntawm cov wgets nquag (lossis curls) dai ntawm qhov chaw nyob los ntawm cov ntawv installer (saib hauv qab), Kuv tabtom tsoo lawv zoo li no rau tam sim no, tab sis lawv pib dua:
ps aux | grep wge[t]
ps aux | grep cur[l]
echo "Stopping..."
kill -9 `ps aux | grep wge[t] | awk '{print $2}'`
kill -9 `ps aux | grep cur[l] | awk '{print $2}'`
Kuv pom Trojan installer tsab ntawv ntawm no (centos): /usr/local/bin/nptd... Kuv tsis tau tshaj tawm kom zam nws, tab sis yog tias leej twg kis tus kab mob thiab nkag siab cov ntawv plhaub, thov ua tib zoo kawm ntxiv.
Kuv yuav ntxiv raws li cov ntaub ntawv hloov tshiab.
UPD 1: Tshem tawm cov ntaub ntawv (nrog ua ntej chattr -i) /etc/cron.d/root, /etc/crontab, rm -Rf /var/spool/cron/root tsis pab, los yog tsis nres qhov kev pab cuam - Kuv yuav tsum tau crontab kiag li tam sim no rhuav nws tawm (rename lub bin file).
UPD 2: Lub Trojan installer qee zaum kuj tau dag nyob rau lwm qhov chaw, tshawb nrhiav los ntawm qhov loj me tau pab:
nrhiav / -size 19825c
PAB 3/XNUMX/XNUMX: Ceev faj Ntxiv nrog rau kev tsis siv selinux, Trojan kuj ntxiv nws tus kheej SSH tus yuam sij hauv ${sshdir}/authorized_keys! Thiab qhib cov teb hauv qab no hauv /etc/ssh/sshd_config, yog tias lawv tsis tau teeb tsa rau YES:
PermitRootLogin yog
RSAAuthentication yog
PubkeyAuthentication muaj
echo UsePAM yog
PasswordAuthentication yog
UPD 4: Txhawm rau xaus rau tam sim no: lov tes taw Exim, cron (nrog cov hauv paus hniav), tshem tawm qhov yuam sij Trojan ntawm ssh thiab hloov kho sshd config, rov pib sshd! Thiab nws tseem tsis tau paub meej tias qhov no yuav pab tau, tab sis yog tsis muaj nws muaj teeb meem.
Kuv tau hloov cov ntaub ntawv tseem ceeb los ntawm cov lus hais txog thaj ua rau thaj / hloov tshiab mus rau qhov pib ntawm daim ntawv, kom cov nyeem pib nrog nws.
PAB 5/XNUMX/XNUMX:
PAB 6/XNUMX/XNUMX:
Leej twg ua (lossis pom) qhov kev daws teeb meem ruaj khov, thov sau, koj yuav pab ntau.
PAB 7/XNUMX/XNUMX:
Yog tias koj tseem tsis tau hais tias tus kab mob no tau sawv rov los ua tsaug rau tsab ntawv tsis tau xa hauv Exim, thaum koj sim xa tsab ntawv rov qab, nws rov qab los, saib hauv /var/spool/exim4
Koj tuaj yeem tshem tag nrho Exim queue zoo li no:
exipick -i | xargs exim -Mr
Txheeb xyuas tus naj npawb ntawm cov ntawv nkag hauv kab:
ib exim
UPD 8: Ib
UPD 9: Nws zoo li ua haujlwm, Ua tsaug
Qhov tseem ceeb tshaj plaws yog tsis txhob hnov ββββqab tias cov neeg rau zaub mov twb raug cuam tshuam thiab cov neeg tawm tsam tuaj yeem tswj tau cog qee yam tsis zoo (tsis muaj npe nyob rau hauv dropper).
Yog li ntawd, nws yog qhov zoo dua los hloov mus rau lub server tag nrho (vds), lossis tsawg kawg txuas ntxiv mus saib cov ncauj lus - yog tias muaj dab tsi tshiab, sau rau hauv cov lus ntawm no, vim tias obviously tsis txhua leej txhua tus yuav tsiv mus rau ib tug tshiab installation ...
UPD 10: Ua tsaug dua
UPD 11: Los ntawm
(tom qab siv ib lossis lwm txoj hauv kev los tawm tsam cov malware no)
Koj twv yuav raug hu yuav tsum tau rov pib dua - cov malware zaum qhov chaw hauv cov txheej txheem qhib thiab, raws li, hauv kev nco, thiab sau nws tus kheej ib qho tshiab rau cron txhua 30 vib nas this.
PAB 12/XNUMX/XNUMX:
PAB 13/XNUMX/XNUMX:
UPD 14: qhia peb tus kheej tias cov neeg ntse tsis khiav tawm hauv paus - ib qho ntxiv
Txawm hais tias nws tsis ua haujlwm los ntawm cov hauv paus, hacking tshwm sim ... Kuv muaj debian jessie UPD: ncab ntawm kuv OrangePi, Exim tab tom khiav los ntawm Debian-exim thiab tseem hacking tshwm sim, poob crowns, thiab lwm yam.
UPD 15: thaum tsiv mus rau qhov chaw huv huv los ntawm kev cuam tshuam, tsis txhob hnov ββββqab txog kev nyiam huv,
Thaum hloov cov ntaub ntawv, xyuam xim tsis yog tsuas yog rau cov ntaub ntawv ua tiav lossis teeb tsa, tab sis kuj rau txhua yam uas yuav muaj cov lus txib tsis zoo (piv txwv li, hauv MySQL qhov no tuaj yeem yog CREATE TRIGGER lossis CREATE EVENT). Tsis tas li ntawd, tsis txhob hnov ββββqab txog .html, .js, .php, .py thiab lwm yam ntaub ntawv pej xeem (qhov tseeb, cov ntaub ntawv no, zoo li lwm cov ntaub ntawv, yuav tsum rov qab los ntawm lub zos lossis lwm qhov chaw cia siab).
PAB 16/XNUMX/XNUMX:
Yog li sawv daws tom qab hloov tshiab koj yuav tsum xyuas kom meej uas koj siv lub tshiab version!
exim --version
Peb txheeb tawm lawv qhov xwm txheej tshwj xeeb ua ke.
Cov neeg rau zaub mov siv DirectAdmin thiab nws cov pob da_exim qub ( qub version, tsis muaj qhov tsis zoo).
Nyob rau tib lub sijhawm, nrog kev pab los ntawm DirectAdmin tus tswj hwm pob khoom custombuild, qhov tseeb, ib qho tshiab ntawm Exim tau raug teeb tsa, uas twb muaj qhov tsis zoo.
Hauv qhov xwm txheej tshwj xeeb no, kev hloov kho ntawm custombuild kuj tau pab.
Tsis txhob hnov ββββqab ua thaub qab ua ntej qhov kev sim no, thiab tseem xyuas kom meej tias ua ntej / tom qab hloov tshiab tag nrho cov txheej txheem Exim yog cov qub version.
Tau qhov twg los: www.hab.com