Vanoshanda navo vanoshandisa Exim vhezheni 4.87...4.91 pamaseva avo etsamba - kukurumidza kugadzirisa kune vhezheni 4.92, yakambomira Exim pachayo kudzivirira kubira kuburikidza neCVE-2019-10149.
Mamirioni akati wandei kutenderera pasirese anogona kuve panjodzi, kusadzivirirwa kwacho kunonzi kwakakosha (CVSS 3.0 base mamakisi = 9.8/10). Vanorwisa vanogona kumhanyisa mirairo pane yako server, muzviitiko zvakawanda kubva kumidzi.
Ndapota ita shuwa kuti uri kushandisa yakagadziriswa vhezheni (4.92) kana imwe yakatove nezvigamba.
Kana kuti chigamba chiripo, ona shinda .
Update for masendi 6:cm. - ye centos 7 inoshandawo, kana isati yasvika zvakananga kubva epel zvakadaro.
UPD: Ubuntu inobatwa 18.04 uye 18.10, imwe update yaburitswa kwavari. Shanduro 16.04 uye 19.04 haina kukanganiswa kunze kwekunge sarudzo dzetsika dzakaiswa pazviri. Mamwe mashoko .
Iye zvino dambudziko rinotsanangurwa ipapo riri kushandiswa zvakasimba (nebhoti, zvichida), ndakaona hutachiona pane mamwe maseva (achimhanya pa4.91).
Kumwe kuverenga kwakakodzera chete kune avo "vakatozviwana" - iwe unofanirwa kutakura zvese kuenda kuVPS yakachena nesoftware nyowani, kana kutsvaga mhinduro. Toedza here? Nyora kana paine anogona kukunda iyi malware.
Kana iwe, uri mushandisi weExim uye uchiverenga izvi, usati wagadziridza (hauna kuve nechokwadi chekuti 4.92 kana vhezheni yakadhindwa iripo), ndapota mira uye mhanya kuti uvandudze.
Kune vakatosvikako, ngatienderere mberi...
UPS: uye anopa mazano akakodzera:
Panogona kuve nemhando dzakasiyana dzemarware. Nekuparura mushonga wechinhu chisina kunaka uye nekubvisa mutsetse, mushandisi haazorapike uye anogona kunge asingazivi zvaanoda kurapwa.
Utachiona hunoonekwa seizvi: [kthrotlds] inotakura processor; paVDS isina simba i100%, pamaseva haina kusimba asi inooneka.
Mushure mekutapukirwa, iyo malware inobvisa cron zvinyorwa, ichizvinyoresa chete ipapo kuti imhanye maminetsi ese e4, ichiita iyo crontab faira isingashanduke. Crontab -e haigone kuchengetedza shanduko, inopa kukanganisa.
Isingachinjiki inogona kubviswa, semuenzaniso, seizvi, wobva wadzima mutsara wekuraira (1.5kb):
chattr -i /var/spool/cron/root
crontab -e
Tevere, mune crontab mupepeti (vim), bvisa mutsetse uye chengetedza:dd
:wq
Nekudaro, mamwe emaitiro anoshanda ari kunyora zvakare, ndiri kufunga nezvazvo.
Panguva imwecheteyo, kune boka rekushanda wgets (kana ma curls) akarembera pamakero kubva kune yekuisa script (ona pazasi), ndiri kuvarovera pasi seizvi izvozvi, asi vanotanga zvakare:
ps aux | grep wge[t]
ps aux | grep cur[l]
echo "Stopping..."
kill -9 `ps aux | grep wge[t] | awk '{print $2}'`
kill -9 `ps aux | grep cur[l] | awk '{print $2}'`
Ndakawana Trojan installer script pano (centos): /usr/local/bin/nptd... Handisi kuitumira kuti ndizvidzivirire, asi kana mumwe munhu ane utachiona uye anonzwisisa zvinyorwa zvehombodo, tapota dzidzai zvakanyatsonaka.
Ini ndichawedzera sezvo ruzivo ruchivandudzwa.
UPD 1: Kudzima mafaera (ane yekutanga chattr -i) /etc/cron.d/root, /etc/crontab, rm -Rf /var/spool/cron/root hazvina kubatsira, kana kumisa sevhisi - ndaifanira crontab zvachose ikozvino ibvarura (rename iyo bin faira).
UPD 2: Iyo Trojan installer dzimwe nguva yairarawo kune dzimwe nzvimbo, kutsvaga nehukuru kwakabatsira:
tsvaga / -size 19825c
UPD 3/XNUMX/XNUMX: Cherechedza chinyorwa! Pamusoro pekudzima selinux, iyo Trojan inowedzerawo yayo SSH kiyi mu${sshdir}/authorized_keys! Uye inomisa minda inotevera mu /etc/ssh/sshd_config, kana isati yatoiswa ku YES:
PermitRootLogin hongu
RSAA authentication hongu
Kusimbiswa kwePubkey hongu
echo UsePAM hongu
PasswordAuthentication hongu
UPD 4: Kupfupisa izvozvi: dzima Exim, cron (nemidzi), nekukurumidza bvisa kiyi yeTrojan kubva ssh uye gadzirisa sshd config, tangazve sshd! Uye hazvisati zvajeka kuti izvi zvichabatsira, asi pasina iyo pane dambudziko.
Ndakafambisa ruzivo rwakakosha kubva kune zvakataurwa pamusoro pezvigamba / zvigadziriso kusvika pakutanga kwechinyorwa, kuitira kuti vaverengi vatange nazvo.
UPD 5/XNUMX/XNUMX: kuti iyo malware yakachinja mapassword muWordPress.
UPD 6/XNUMX/XNUMX: , ngatiedze! Mushure mekutangazve kana kudzima, mushonga unoita seunonyangarika, asi ikozvino ndizvozvo.
Chero ani anoita (kana anowana) mhinduro yakagadzikana, ndapota nyora, iwe uchabatsira vazhinji.
UPD 7/XNUMX/XNUMX: anonyora:
Kana usati watotaura kuti hutachiona hunomutswa nekuda kwetsamba isina kutumirwa muExim, paunoyedza kutumira iyo tsamba zvakare, inodzoreredzwa, tarisa mukati /var/spool/exim4
Unogona kudzima mutsara wese weExim seizvi:
exipick -i | xargs exim -Mrm
Kutarisa nhamba yezvapinda mumutsara:
exim -bpc
UPD 8: Zvakare : FirstVDS yakapa shanduro yavo yezvinyorwa zvekurapa, ngatizviedze!
UPD 9: Zvinoita senge iri kushanda, Ndatenda zve script!
Chinhu chikuru ndechekuti usakanganwa kuti sevha yanga yatokanganiswa uye vapambi vangadai vakakwanisa kudyara zvimwe zvinhu zvisina kunaka (zvisina kunyorwa mudonhodzo).
Naizvozvo, zviri nani kutamira kune yakazara yakaiswa sevha (vds), kana kuenderera mberi nekutarisa musoro - kana paine chero chinhu chitsva, nyora mune zvakataurwa pano, nekuti. zviri pachena kuti havasi vese vanozoenda kune nyowani yekuisa ...
UPD 10: Ndatenda zvakare : inoyeuchidza kuti kwete chete maseva ane hutachiona, asiwo Raspberry Pi, uye marudzi ose emagetsi emagetsi ... Saka mushure mekuchengetedza mavhavha, usakanganwa kuchengetedza mavhidhiyo ako, mabhoti, nezvimwewo.
UPD 11: Kubva Chinyorwa chakakosha kune vanoporesa nemaoko:
(mushure mekushandisa imwe kana imwe nzira yekurwisa iyi malware)
Iwe zvechokwadi unofanirwa kutangazve - iyo malware inogara pane imwe nzvimbo muakavhurika maitiro uye, saizvozvo, mundangariro, uye inonyora pachayo imwe nyowani kucron ese makumi matatu masekonzi.
UPD 12/XNUMX/XNUMX: Exim ine imwe(?) malware mumutsara wayo uye inokupa zano kuti utange wadzidza dambudziko rako chairo usati watanga kurapwa.
UPD 13/XNUMX/XNUMX: asi, famba kune yakachena sisitimu, uye kutamisa mafaera zvakanyanya, nekuti Iyo malware yatovepo pachena uye inogona kushandiswa mune dzimwe nzira, dzisiri pachena uye dzine njodzi.
UPD 14: kuzvisimbisa pachedu kuti vanhu vakangwara havatize kubva pamidzi - chimwezve chinhu :
Kunyangwe ikasashanda kubva mumudzi, kubira kunoitika ... Ndine debian jessie UPD: tambanudza paOrangePi yangu, Exim iri kumhanya kubva kuDebian-exim uye ichiri kubira kwakaitika, korona dzakarasika, nezvimwe.
UPD 15: kana uchienda kune yakachena sevha kubva kune yakakanganisika, usakanganwa nezvehutsanana, :
Paunenge uchiendesa data, teerera kwete chete kune anogona kuitiswa kana kumisikidzwa mafaera, asiwo kune chero chingave chine mirairo yakaipa (semuenzaniso, muMySQL iyi inogona kuve CREATE TRIGGER kana CREATE EVENT). Uyewo, usakanganwa nezve .html, .js, .php, .py uye mamwe mafaira evanhu vose (zvakanakira mafaira aya, semamwe data, anofanira kudzorerwa kubva kune imwe nzvimbo kana imwe chengetedzo yakavimbika).
UPD 16/XNUMX/XNUMX: ΠΈ : sisitimu yacho yaive neimwe vhezheni yeExim yakaiswa mumachiteshi, asi muchokwadi yaive ichimhanya imwe.
Saka munhu wese mushure mekuvandudzwa iwe unofanirwa kuve nechokwadi kuti uri kushandisa shanduro itsva!
exim --versionTakagadzirisa mamiriro avo chaiwo pamwe chete.
Sevha yakashandisa DirectAdmin uye yayo yekare da_exim package (yakare vhezheni, isina njodzi).
Panguva imwecheteyo, nerubatsiro rweDirectAdmin's custombuild package maneja, chokwadi, shanduro nyowani yeExim yakabva yaiswa, iyo yanga yatove munjodzi.
Mune ino mamiriro ezvinhu, kugadzirisa kuburikidza necustombuild kwakabatsirawo.
Usakanganwe kugadzira ma backups pamberi pezviyedzo zvakadaro, uye zvakare ita shuwa kuti pamberi / mushure mekugadzirisa zvese Exim maitiro ndeekare vhezheni. uye kwete "kunamatira" mundangariro.
Source: www.habr.com