Abalingane abasebenzisa iinguqulelo ze-Exim 4.87...4.91 kwiiseva zabo zeposi - ukuhlaziya ngokukhawuleza kwinguqulo ye-4.92, beqale bamisa i-Exim ngokwayo ukuze baphephe ukugqekeza nge-CVE-2019-10149.
Izigidi ezininzi zeeseva emhlabeni jikelele zinokuba semngciphekweni, ubuthathaka bulinganiswe njengento ebalulekileyo (i-CVSS 3.0 base score = 9.8/10). Abahlaseli banokusebenzisa imiyalelo engafanelekanga kumncedisi wakho, kwiimeko ezininzi ukusuka kwingcambu.
Nceda uqinisekise ukuba usebenzisa uguqulelo olusisigxina (4.92) okanye esele ilungisiwe.
Okanye cima esele ikhona, bona intambo
Uhlaziyo lwe iisenti 6: i-cm.
UPD: Ubuntu buchaphazelekile 18.04 kunye ne18.10, uhlaziyo lukhutshelwe bona. Iinguqulelo ze-16.04 kunye ne-19.04 azichaphazeleki ngaphandle kokuba iinketho eziqhelekileyo zifakwe kuzo. Iinkcukacha ezingakumbi
Ngoku ingxaki echazwe apho ixhatshazwa ngokusebenzayo (yi-bot, mhlawumbi), ndiqaphele usulelo kwezinye iiseva (ezisebenza kwi-4.91).
Ukuqhubela phambili kokufunda kufanelekileyo kuphela kwabo sele "beyifumene" - kufuneka uhambise yonke into kwi-VPS ecocekileyo kunye nesofthiwe entsha, okanye ukhangele isisombululo. Ngaba siza kuzama? Bhala ukuba nabani na onokoyisa le malware.
Ukuba wena, ungumsebenzisi we-Exim kwaye ufunda le nto, awukahlaziywa (awuqinisekanga ukuba i-4.92 okanye inguqulelo ephekiweyo iyafumaneka), nceda ume kwaye ubaleke ukuhlaziya.
Kwabo sele befikile, masiqhubeke...
IUPS:
Kunokubakho iintlobo ezininzi ze-malware. Ngokusungula iyeza lento engalunganga kunye nokucoca umgca, umsebenzisi akayi kunyangwa kwaye angazi ukuba kufuneka anyangwe ngantoni.
Usulelo luphawuleka ngolu hlobo: [kthrotlds] ilayisha iprosesa; kwi-VDS ebuthathaka yi-100%, kwiiseva ibuthathaka kodwa iyabonakala.
Emva kokusuleleka, i-malware isusa ukungena kwe-cron, ibhalise ngokwayo khona ukuze iqhube yonke imizuzu ye-4, ngelixa yenza ifayile ye-crontab ingaguquki. Crontab -e ayikwazi ukugcina utshintsho, inika imposiso.
Okungaguqukiyo kunokususwa, umzekelo, ngolu hlobo, kwaye emva koko ucime umgca womyalelo (1.5kb):
chattr -i /var/spool/cron/root
crontab -e
Okulandelayo, kumhleli we-crontab (vim), cima umgca kwaye ugcine:dd
:wq
Nangona kunjalo, ezinye iinkqubo ezisebenzayo zibhala ngaphezulu kwakhona, ndiyayicinga.
Kwangaxeshanye, kukho iqela lee-wget ezisebenzayo (okanye ii-curls) ezixhonywe kwiidilesi ezisuka kwiskripthi sofakelo (jonga ngezantsi), ndibawisa ngolu hlobo okwangoku, kodwa baqala kwakhona:
ps aux | grep wge[t]
ps aux | grep cur[l]
echo "Stopping..."
kill -9 `ps aux | grep wge[t] | awk '{print $2}'`
kill -9 `ps aux | grep cur[l] | awk '{print $2}'`
Ndifumene iskripthi se-installer yeTrojan apha (centos): /usr/local/bin/nptd... Andiyithumeli ukuyiphepha, kodwa ukuba kukho umntu osulelekileyo kwaye uyaziqonda izikripthi zegobolondo, nceda ufunde ngokucophelela.
Ndiza kongeza njengoko ulwazi luhlaziywa.
UPD 1: Ukucima iifayile (nge-preliminary chattr -i) /etc/cron.d/root, /etc/crontab, rm -Rf /var/spool/cron/root ayizange incede, kwaye ayizange imise inkonzo-kwafuneka ndiyenze. crontab ngokupheleleyo okwangoku yikrazule (yitha ngokutsha ifayile yomgqomo).
UPD 2: Isifakeli seTrojan ngamanye amaxesha sasilele kwezinye iindawo, ukukhangela ngokobungakanani kunceda:
fumana / -ubungakanani 19825c
UPD 3/XNUMX/XNUMX: Nceda nceda! Ukongeza kokukhubaza iselinux, iTrojan yongeza eyakhe Iqhosha le-SSH nge ${sshdir}/authorized_keys! Kwaye isebenze le mihlaba ilandelayo kwi /etc/ssh/sshd_config, ukuba ayikamiselwa ukuba EWE:
ImvumeRootLogin ewe
RSAAUqinisekiso ewe
Ubungqina be-Pubkey ewe
echo UsePAM ewe
PasswordAuthentication ewe
UPD 4: Ukushwankathela okwangoku: khubaza i-Exim, cron (eneengcambu), ngokukhawuleza susa isitshixo seTrojan kwi-ssh kwaye uhlele i-sshd config, qala kwakhona i-sshd! Kwaye akukacaci ukuba oku kuya kunceda, kodwa ngaphandle kwayo kukho ingxaki.
Ndahambisa ulwazi olubalulekileyo kwiinkcazo malunga neepatches / ukuhlaziywa ukuya ekuqaleni kwenqaku, ukuze abafundi baqale ngayo.
UPD 5/XNUMX/XNUMX:
UPD 6/XNUMX/XNUMX:
Nabani na owenza (okanye ufumana) isisombululo esizinzile, nceda ubhale, uya kunceda abaninzi.
UPD 7/XNUMX/XNUMX:
Ukuba awukathethi ukuba intsholongwane ivuswa ngokubulela kwileta engathunyelwanga kwi-Exim, xa uzama ukuthumela ileta kwakhona, ibuyiselwe, jonga kwi / var / spool / exim4
Ungawucima wonke umgca we-Exim ngolu hlobo:
exipick -i | xargs exim -Mnu
Ukujonga inani lamangeno emgceni:
umzekelo -bpc
UPD 8: Kwakhona
UPD 9: Kubonakala ngathi u sebenza, Enkosi
Into ephambili kukuba ungalibali ukuba umncedisi wayesele ephazamisekile kwaye abahlaseli babekwazi ukutshala ezinye izinto ezimbi ezingabonakaliyo (ezingadweliswanga kwi-dropper).
Ngoko ke, kungcono ukufudukela kwi-server efakwe ngokupheleleyo (vds), okanye ubuncinci ukuqhubeka nokubeka iliso isihloko - ukuba kukho into entsha, bhala kwiinkcazo apha, kuba ngokucacileyo ayinguye wonke umntu oza kuya kufakelo olutsha...
UPD 10: Enkosi kwakhona
UPD 11: Ukusuka
(emva kokusebenzisa enye okanye enye indlela yokulwa le malware)
Ngokuqinisekileyo kufuneka uqalise kwakhona - i-malware ihlala kwenye indawo kwiinkqubo ezivulekileyo kwaye, ngokufanelekileyo, kwimemori, kwaye izibhale entsha ukuze icron rhoqo kwimizuzwana engama-30.
UPD 12/XNUMX/XNUMX:
UPD 13/XNUMX/XNUMX:
I-UPD 14: ukuziqinisekisa ukuba abantu abalumkileyo ababaleki kwiingcambu - enye into
Nokuba ayisebenzi ukusuka kwingcambu, i-hacking iyenzeka ... Ndine-debian jessie UPD: yolula kwi-OrangePi yam, i-Exim iqhuba i-Debian-exim kwaye isaqhubeka i-hacking, izithsaba ezilahlekileyo, njl.
I-UPD 15: xa ufudukela kwiseva ecocekileyo ukusuka kwindawo ephazamisekileyo, ungalibali malunga nococeko,
Xa udlulisela idatha, nikela ingqalelo kungekuphela nje kwiifayile eziphunyeziweyo okanye zoqwalaselo, kodwa nayo nayiphi na into enokuthi iqulethe imiyalelo engalunganga (umzekelo, kwi-MySQL le nto ingaba CREATE TRIGGER okanye CREATE EVENT). Kwakhona, ungalibali malunga ne-.html, .js, .php, .py kunye nezinye iifayile zoluntu (ngokufanelekileyo ezi fayile, njengenye idatha, kufuneka zibuyiselwe kwindawo okanye kwenye indawo yokugcina ethembekileyo).
UPD 16/XNUMX/XNUMX:
Ngoko wonke umntu emva kohlaziyo kufuneka uqinisekise ukuba usebenzisa inguqulelo entsha!
exim --version
Sayilungisa kunye imeko yabo ekhethekileyo.
Umncedisi usebenzise i-DirectAdmin kunye nephakheji yayo endala ye-da_exim (uguqulelo oludala, ngaphandle kokuba sesichengeni).
Kwangaxeshanye, ngoncedo lomphathi wephakeji ye-DirectAdmin, enyanisweni, inguqulelo entsha ye-Exim yafakwa, eyayisele isesichengeni.
Kule meko, ukuhlaziywa nge-custombuild nako kuncede.
Ungalibali ukwenza ii-backups phambi kovavanyo olunjalo, kwaye uqinisekise ukuba ngaphambi/emva kohlaziyo zonke iinkqubo ze-Exim zezoguqulelo oludala.
umthombo: www.habr.com