Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Kuwukira kwakukulu kwa ma seva osatetezeka a Exim-based mail

Kuwukira kwakukulu kwa ma seva osatetezeka a Exim-based mail

Ofufuza zachitetezo ku Cybereason anachenjeza Oyang'anira ma seva a mail okhudza kuzindikira kuwononga kwakukulu kodzichitira nokha kusatetezeka kwambiri (CVE-2019-10149) ku Exim, yopezeka sabata yatha. Panthawi yakuukira, owukira amakwaniritsa ma code awo ndi ufulu wa mizu ndikuyika pulogalamu yaumbanda pa seva ya cryptocurrencies migodi.

Malinga ndi June kafukufuku wamagetsi Gawo la Exim ndi 57.05% (chaka chapitacho 56.56%), Postfix imagwiritsidwa ntchito pa 34.52% (33.79%) ya ma seva amakalata, Sendmail - 4.05% (4.59%), Microsoft Exchange - 0.57% (0.85%). Wolemba zoperekedwa Ntchito ya Shodan imakhalabe pachiwopsezo cha ma seva opitilira 3.6 miliyoni pa intaneti padziko lonse lapansi omwe sanasinthidwe mpaka kutulutsidwa kwaposachedwa kwa Exim 4.92. Pafupifupi ma seva a 2 miliyoni omwe ali pachiwopsezo ali ku United States, 192 zikwi ku Russia. Wolemba mudziwe Kampani ya RiskIQ yasintha kale ku 4.92 ya 70% ya maseva okhala ndi Exim.

Kuwukira kwakukulu kwa ma seva osatetezeka a Exim-based mail

Oyang'anira akulangizidwa kuti akhazikitse mwachangu zosintha zomwe zidakonzedwa ndi zida zogawa sabata yatha (Debian, Ubuntu, Tsegulani, Arch Linux, Fedora, EPEL ya RHEL/CentOS). Ngati dongosololi lili ndi vuto la Exim (kuchokera ku 4.87 mpaka 4.91 kuphatikizapo), muyenera kuonetsetsa kuti dongosololi silinasokonezedwe kale poyang'ana crontab kwa mafoni okayikitsa ndikuwonetsetsa kuti palibe makiyi owonjezera mu /root/. ssh chikwatu. Kuwukira kungasonyezedwenso ndi kupezeka kwa chipika cha firewall kuchokera ku makamu an7kmd2wp4xo7hpr.tor2web.su, an7kmd2wp4xo7hpr.tor2web.io ndi an7kmd2wp4xo7hpr.onion.sh, omwe amagwiritsidwa ntchito kutsitsa pulogalamu yaumbanda.

Kuyesa koyamba kuukira ma seva a Exim okhazikika pa 9 Juni. Pofika pa June 13 kuukira avomereza misa khalidwe. Mutatha kugwiritsa ntchito chiwopsezochi kudzera pazipata za tor2web, script imatsitsidwa kuchokera ku Tor secret service (an7kmd2wp4xo7hpr) yomwe imayang'ana kupezeka kwa OpenSSH (ngati sichoncho. seti), amasintha makonda ake (amalola kulowa muzu ndi kutsimikizika kwakiyi) ndikuyika wosuta mizu RSA kiyi, yomwe imapereka mwayi wopeza dongosolo kudzera pa SSH.

Pambuyo pokhazikitsa backdoor, scanner yamadoko imayikidwa padongosolo kuti izindikire ma seva ena omwe ali pachiwopsezo. Dongosololi limafufuzidwanso njira zomwe zilipo kale zamigodi, zomwe zimachotsedwa ngati zizindikirika. Pamapeto pake, mgodi wanu watsitsidwa ndikulembetsedwa ku crontab. Mgodiyo amatsitsidwa mwachiwonekere cha fayilo ya ico (kwenikweni ndi zip archive yokhala ndi mawu achinsinsi "no-password"), yomwe ili ndi fayilo yotheka mumtundu wa ELF wa Linux ndi Glibc 2.7+.

Source: opennet.ru

Kuwonjezera ndemanga