Anzake omwe amagwiritsa ntchito ma Exim matembenuzidwe 4.87...4.91 pamaseva awo amakalata - sinthani mwachangu ku mtundu wa 4.92, atayimitsa kale Exim yokha kuti asaberedwe kudzera pa CVE-2019-10149.
Ma seva mamiliyoni angapo padziko lonse lapansi ali pachiwopsezo, kusatetezekako kumayesedwa ngati kofunikira (CVSS 3.0 base score = 9.8/10). Owukira amatha kugwiritsa ntchito malamulo osamveka pa seva yanu, nthawi zambiri kuchokera muzu.
Chonde onetsetsani kuti mukugwiritsa ntchito mtundu wokhazikika (4.92) kapena womwe wapakidwa kale.
Kapena chigamba chomwe chilipo, onani ulusi .
Kusintha kwa centos 6: cm. - kwa centos 7 imagwiranso ntchito, ngati sichinafike mwachindunji kuchokera ku epel panobe.
UPD: Ubuntu wakhudzidwa 18.04 ndi 18.10, zosintha zatulutsidwa kwa iwo. Mabaibulo a 16.04 ndi 19.04 samakhudzidwa pokhapokha ngati zosankha zachikhalidwe zidayikidwa pa iwo. Zambiri .
Tsopano vuto lomwe likufotokozedwa pamenepo likugwiritsidwa ntchito mwachangu (ndi bot, mwina), ndidawona matenda pama seva ena (akuyenda pa 4.91).
Kuwerenga kwina kuli koyenera kwa iwo omwe "apeza kale" - muyenera kunyamula chilichonse kupita ku VPS yoyera yokhala ndi mapulogalamu atsopano, kapena fufuzani yankho. Kodi tiyese? Lembani ngati aliyense angathe kuthana ndi pulogalamu yaumbandayi.
Ngati inu, pokhala wogwiritsa ntchito Exim ndikuwerenga izi, simunasinthirebe (simunatsimikizire kuti 4.92 kapena mtundu wa zigamba ulipo), chonde imani ndikuthamanga kuti musinthe.
Kwa omwe adafika kale, tiyeni tipitilize ...
UPD: ndipo amapereka malangizo oyenera:
Pakhoza kukhala mitundu yosiyanasiyana ya pulogalamu yaumbanda. Poyambitsa mankhwala olakwika ndikuchotsa pamzere, wogwiritsa ntchitoyo sangachiritsidwe ndipo mwina sangadziwe zomwe akuyenera kulandira.
Matendawa amawonekera motere: [kthrotlds] amanyamula purosesa; pa VDS yofooka ndi 100%, pa maseva ndi ofooka koma odziwika.
Pambuyo pa matenda, pulogalamu yaumbanda imachotsa zolemba za cron, kudzilembera yokha kuti iyendetse mphindi iliyonse ya 4, ndikupanga fayilo ya crontab kukhala yosasinthika. Crontab -e sichingasunge zosintha, imapereka cholakwika.
Zosasinthika zitha kuchotsedwa, mwachitsanzo, monga chonchi, ndikuchotsa mzere wolamula (1.5kb):
chattr -i /var/spool/cron/root
crontab -e
Kenako, mu crontab editor (vim), chotsani mzere ndikusunga:dd
:wq
Komabe, zina mwazomwe zimagwira ntchito zikulembanso, ndikuzilingalira.
Nthawi yomweyo, pali gulu la ma wget (kapena ma curls) omwe akupachikidwa pamaadiresi kuchokera pa cholembera (onani pansipa), ndikuwagwetsa chonchi pakadali pano, koma ayambiranso:
ps aux | grep wge[t]
ps aux | grep cur[l]
echo "Stopping..."
kill -9 `ps aux | grep wge[t] | awk '{print $2}'`
kill -9 `ps aux | grep cur[l] | awk '{print $2}'`
Ndapeza Trojan installer script pano (centos): /usr/local/bin/nptd... Sindikutumiza kuti ndipewe, koma ngati wina ali ndi kachilombo ndikumvetsetsa zolemba za zipolopolo, chonde phunzirani mosamala.
Ndiwonjeza pomwe chidziwitso chikusinthidwa.
UPD 1: Kuchotsa mafayilo (ndi macheza oyambilira -i) /etc/cron.d/root, /etc/crontab, rm -Rf /var/spool/cron/root sikunathandize, kapena kuyimitsa ntchitoyo - Ndinayenera crontab kwathunthu pakadali pano chichotseni (pambani dzina la bin file).
UPD 2: Woyika Trojan nthawi zina amagonanso m'malo ena, kufufuza ndi kukula kunathandizira:
kupeza / -kukula 19825c
UPD 3/XNUMX/XNUMX: Chonde chonde! Kuphatikiza pa kuletsa selinux, Trojan imawonjezeranso yake SSH kiyi mu ${sshdir}/authorized_keys! Ndipo yambitsani magawo otsatirawa mu /etc/ssh/sshd_config, ngati sanakhazikitsidwe kale ku YES:
ChilolezoRootLogin inde
RSAAuthentication inde
Kutsimikizika inde
echo UsePAM inde
PasswordAuthentication inde
UPD 4: Kuti mufotokoze mwachidule pano: zimitsani Exim, cron (ndi mizu), chotsani mwachangu kiyi ya Trojan ku ssh ndikusintha sshd config, yambaninso sshd! Ndipo sizikuwonekeratu kuti izi zidzathandiza, koma popanda izo pali vuto.
Ndinasuntha chidziwitso chofunikira kuchokera pamawu okhudza zigamba / zosintha mpaka kumayambiriro kwa cholembacho, kuti owerenga ayambe nazo.
UPD 5/XNUMX/XNUMX: kuti pulogalamu yaumbanda idasintha mapasiwedi mu WordPress.
UPD 6/XNUMX/XNUMX: , tiyeni tiyese! Pambuyo poyambiranso kapena kutseka, mankhwalawa akuwoneka kuti akutha, koma pakadali pano ndi momwemo.
Aliyense amene amapanga (kapena kupeza) yankho lokhazikika, chonde lembani, mudzathandiza ambiri.
UPD 7/XNUMX/XNUMX: analemba kuti:
Ngati simunanenepo kuti kachilomboka kamaukitsidwa chifukwa cha kalata yosatumizidwa ku Exim, mukayesa kutumizanso kalatayo, imabwezeretsedwa, yang'anani mkati / var/spool/exim4
Mutha kuchotsa mzere wonse wa Exim motere:
epick -i | xargs exim - Mr
Kuwona kuchuluka kwa zomwe zalembedwa pamzere:
chitsanzo -bpc
UPD 8: Apanso : FirstVDS anapereka mtundu wawo wa mankhwala script, tiyeni tiyese izo!
UPD 9: Zikuwoneka ngati amagwira ntchito, zikomo za script!
Chachikulu ndichakuti musaiwale kuti seva idasokonekera kale ndipo owukirawo akanatha kubzala zinthu zina zoyipa (zosatchulidwa mu dropper).
Choncho, ndi bwino kusamukira ku seva yokhazikitsidwa kwathunthu (vds), kapena kupitiriza kuyang'anitsitsa mutuwo - ngati pali china chatsopano, lembani ndemanga apa, chifukwa. mwachiwonekere si onse omwe angasunthe ku kukhazikitsa mwatsopano ...
UPD 10: Zikomo kachiwiri : imakumbutsa kuti si ma seva okha omwe ali ndi kachilombo, komanso Rasipiberi Pi, ndi mitundu yonse ya makina enieni ... Kotero mutatha kusunga ma seva, musaiwale kusunga mavidiyo anu, ma robot, ndi zina zotero.
UPD 11: Kuchokera Zofunikira kwa asing'anga pamanja:
(mutatha kugwiritsa ntchito njira imodzi kapena ina yolimbana ndi pulogalamu yaumbandayi)
Muyenera kuyambiranso - pulogalamu yaumbanda imakhala penapake potseguka, motero, kukumbukira, ndikudzilemba yokha yatsopano kuti iwononge masekondi 30 aliwonse.
UPD 12/XNUMX/XNUMX: Exim ili ndi pulogalamu ina yaumbanda (?) pamzere wake ndipo imakulangizani kuti muyambe mwaphunzira vuto lanu lenileni musanayambe chithandizo.
UPD 13/XNUMX/XNUMX: m'malo, kusamukira ku dongosolo woyera, ndi kusamutsa owona kwambiri mosamala, chifukwa Vutoli likupezeka kale pagulu ndipo litha kugwiritsidwa ntchito m'njira zina, zosadziwika bwino komanso zowopsa.
UPD 14: kudzitsimikizira tokha kuti anthu anzeru samathawa muzu - chinthu chinanso :
Ngakhale sizingagwire ntchito kuchokera muzu, kuthyolako kumachitika ... Ndili ndi debian jessie UPD: kutambasula pa OrangePi yanga, Exim ikuthamanga kuchokera ku Debian-exim ndipo kuthyolako kunachitikabe, nduwira zotayika, ndi zina zotero.
UPD 15: mukamasamukira ku seva yoyera kuchokera pamavuto, musaiwale zaukhondo, :
Posamutsa deta, samalani osati mafayilo omwe angathe kuchitidwa kapena osintha, komanso chilichonse chomwe chingakhale ndi malamulo oyipa (mwachitsanzo, mu MySQL izi zitha kukhala CREATE TRIGGER kapena CREATE EVENT). Komanso, musaiwale za .html, .js, .php, .py ndi mafayilo ena apagulu (zoyenera kuti mafayilowa, monga deta ina, abwezeretsedwe kuchokera kumalo osungirako kapena malo ena odalirika).
UPD 16/XNUMX/XNUMX: ΠΈ : makinawo anali ndi mtundu umodzi wa Exim womwe unayikidwa m'madoko, koma kwenikweni unali kuyendetsa wina.
Choncho aliyense pambuyo pomwe muyenera kuonetsetsa kuti mukugwiritsa ntchito mtundu watsopano!
exim --versionTinakonza limodzi vuto lawo lenileni.
Seva idagwiritsa ntchito DirectAdmin ndi phukusi lake lakale la da_exim (mtundu wakale, wopanda chiwopsezo).
Nthawi yomweyo, mothandizidwa ndi DirectAdmin's custombuild package manager, kwenikweni, mtundu watsopano wa Exim udayikidwa, womwe unali pachiwopsezo kale.
Munthawi imeneyi, kukonzanso kudzera pa custombuild kunathandizanso.
Musaiwale kupanga zosunga zobwezeretsera musanayesedwe, komanso onetsetsani kuti musanayambe/mutha kusintha njira zonse za Exim ndi zakale. osati "kukakamira" m'chikumbukiro.
Source: www.habr.com