Ozakwethu abasebenzisa izinguqulo ze-Exim 4.87...4.91 kumaseva wabo wemeyili - babuyekeze ngokushesha baye enguqulweni engu-4.92, bamise ngaphambilini i-Exim ngokwayo ukuze bagweme ukugebenga nge-CVE-2019-10149.
Amaseva ayizigidi ezimbalwa emhlabeni wonke asengozini, ukuba sengozini kukalwe njengokubalulekile (i-CVSS 3.0 base score = 9.8/10). Abahlaseli bangasebenzisa imiyalo engafanele kuseva yakho, ezimeni eziningi kusuka kumpande.
Sicela wenze isiqiniseko sokuthi usebenzisa inguqulo engaguquki (4.92) noma eseyikhishiwe kakade.
Noma chibiyela ekhona, bona intambo
Isibuyekezo se centos 6: cm.
UPD: Ubuntu buthintekile 18.04 futhi 18.10, isibuyekezo sikhishelwe bona. Izinguqulo 16.04 kanye no-19.04 azithinteki ngaphandle uma kufakwe izinketho ngokwezifiso kuzo. Imininingwane eyengeziwe
Manje inkinga echazwe lapho isixhashazwa ngenkuthalo (nge-bot, mhlawumbe), ngibone ukutheleleka kwamanye amaseva (asebenza ngo-4.91).
Ukufunda okwengeziwe kusebenza kuphela kulabo βasebekutholileβ - udinga ukuthutha yonke into uyiyise ku-VPS ehlanzekile nge-software entsha, noma ufune isixazululo. Sizozama? Bhala ukuthi noma ubani anganqoba lolu hlelo olungayilungele ikhompuyutha.
Uma wena, njengomsebenzisi we-Exim futhi ufunda lokhu, awukakabuyekezi (awukaqinisekisi ukuthi i-4.92 noma inguqulo ecishiwe iyatholakala), sicela ume bese ugijima ukuze ubuyekeze.
Kulabo asebefikile lapho, asiqhubeke...
I-UPS:
Kungaba nenhlobonhlobo enkulu yohlelo olungayilungele ikhompuyutha. Ngokwethula umuthi wento engalungile kanye nokususa ulayini, umsebenzisi ngeke alapheke futhi angase angazi ukuthi yini okudingeka elashwe ngayo.
Ukutheleleka kubonakala kanje: [kthrotlds] ilayisha iphrosesa; kwi-VDS ebuthakathaka ingu-100%, kumaseva ibuthakathaka kodwa iyabonakala.
Ngemuva kokutheleleka, i-malware isusa okufakiwe kwe-cron, izibhalisa yona kuphela lapho ukuze isebenze njalo ngemizuzu emi-4, kuyilapho yenza ifayela le-crontab lingaguquleki. I-Crontab -e ayikwazi ukulondoloza izinguquko, inikeza iphutha.
Okungaguquki kungasuswa, ngokwesibonelo, kanje, bese ususa umugqa womyalo (1.5kb):
chattr -i /var/spool/cron/root
crontab -e
Okulandelayo, kusihleli se-crontab (vim), susa umugqa bese ulondoloza:dd
:wq
Kodwa-ke, ezinye zezinqubo ezisebenzayo zibhala ngaphezulu futhi, ngiyazicabangela.
Ngasikhathi sinye, kunenqwaba yama-wget asebenzayo (noma ama-curls) alenga kumakheli asuka kusikripthi sesifaki (bheka ngezansi), ngiwawisa kanje okwamanje, kodwa aqala futhi:
ps aux | grep wge[t]
ps aux | grep cur[l]
echo "Stopping..."
kill -9 `ps aux | grep wge[t] | awk '{print $2}'`
kill -9 `ps aux | grep cur[l] | awk '{print $2}'`
Ngithole iskripthi sokufaka i-Trojan lapha (i-centos): /usr/local/bin/nptd... Angiyithumeli ukuze ngiyigweme, kodwa uma noma ubani ethelelekile futhi eqonda imibhalo yegobolondo, sicela uyifunde ngokucophelela.
Ngizokwengeza njengoba ulwazi lubuyekezwa.
I-UPD 1: Ukususa amafayela (ngengxoxo yokuqala -i) /etc/cron.d/root, /etc/crontab, rm -Rf /var/spool/cron/root akuzange kusize, futhi akuzange kumise insizakalo - kwadingeka crontab ngokuphelele okwamanje yikhiphe (qamba kabusha ifayela lomgqomo).
I-UPD 2: Isifaki seThrojani kwesinye isikhathi sasibuye silele kwezinye izindawo, kusiza ukusesha ngosayizi:
thola / -size 19825c
I-UPD 3: Ukuqapha Ngaphezu kokukhubaza i-selinux, iThrojani nayo yengeza eyodwa Ukhiye we-SSH ku-${sshdir}/authorized_keys! Futhi yenza kusebenze izinkambu ezilandelayo ku-/etc/ssh/sshd_config, uma zingakasethwa ku-YEBO:
I-PermitRootLogin yebo
Ukuqinisekiswa kwe-RSAA yebo
Ukuqinisekiswa kwe-Pubkey yebo
echo UsePAM yebo
PasswordAuthentication yebo
I-UPD 4: Ukufingqa okwamanje: khubaza i-Exim, cron (ngezimpande), susa ngokushesha ukhiye weThrojani ku-ssh bese uhlela ukucushwa kwe-sshd, qala kabusha i-sshd! Futhi akukacaci ukuthi lokhu kuzosiza, kodwa ngaphandle kwakho kunenkinga.
Ngidlulisele ulwazi olubalulekile kumazwana mayelana nama-patches/updates ekuqaleni kwenothi, ukuze abafundi baqale ngawo.
I-UPD 5:
I-UPD 6:
Noma ubani owenza (noma othola) isisombululo esizinzile, sicela ubhale, uzosiza abaningi.
I-UPD 7:
Uma ubungakasho ukuthi leli gciwane livusiwe ngenxa yencwadi engathunyelwanga ku-Exim, lapho uzama ukuthumela incwadi futhi, iyabuyiselwa, bheka ku-/var/spool/exim4
Ungasula wonke ulayini we-Exim kanje:
xipick -i | xargs exim -Mnu
Ihlola inombolo yokufakiwe kulayini:
isibonelo -bpc
UPD 8: Futhi
UPD 9: Kubukeka sengathi ΡΠ°Π±ΠΎΡΠ°Π΅Ρ, ngiyabonga
Into esemqoka ukungakhohlwa ukuthi iseva yayisivele isengozini futhi abahlaseli bebengakwazi ukutshala ezinye izinto ezimbi kakhulu (azifakwanga ohlwini lokudonsa).
Ngakho-ke, kungcono ukuthuthela kuseva efakwe ngokuphelele (vds), noma okungenani uqhubeke nokuqapha isihloko - uma kukhona okusha, bhala kumazwana lapha, ngoba ngokusobala akuwona wonke umuntu ozothuthela ekufakweni okusha...
UPD 10: Siyabonga futhi
UPD 11: Kusuka
(ngemuva kokusebenzisa indlela eyodwa noma enye yokulwa nalolu hlelo olungayilungele ikhompuyutha)
Impela udinga ukuqalisa kabusha - uhlelo olungayilungele ikhompuyutha luhlala ndawana thize ezinqubweni ezivulekile futhi, ngokufanelekile, enkumbulweni, futhi izibhalele entsha ukuze icron njalo ngemizuzwana engama-30.
I-UPD 12:
I-UPD 13:
I-UPD 14: ukuziqinisekisa ukuthi abantu abahlakaniphile abasuki ezimpandeni - enye into futhi
Ngisho noma kungasebenzi kusuka empandeni, ukugebenga kwenzeka... Ngine-debian jessie UPD: nweba ku-OrangePi yami, i-Exim igijima kusukela ku-Debian-exim futhi kusagebengwa, kulahlekile imiqhele, njll.
I-UPD 15: lapho uthuthela kuseva ehlanzekile usuka kweyonakele, ungakhohlwa mayelana nenhlanzeko,
Lapho udlulisela idatha, qaphela hhayi kuphela amafayela asebenzisekayo noma amisiwe, kodwa nanoma yini engase iqukethe imiyalo enonya (ngokwesibonelo, ku-MySQL lokhu kungase kube CREATE TRIGGER noma CREATE EVENT). Futhi, ungakhohlwa nge-.html, .js, .php, .py namanye amafayela asesidlangalaleni (okungcono kakhulu lawa mafayela, njengenye idatha, kufanele abuyiselwe esuka endaweni noma kwesinye isitoreji esithenjwayo).
I-UPD 16:
Ngakho wonke umuntu ngemuva kwesibuyekezo kufanele uqinisekise ukuthi usebenzisa inguqulo entsha!
exim --version
Salungisa isimo sabo esiqondile ndawonye.
Iseva isebenzise i-DirectAdmin kanye nephakheji yayo endala ye-da_exim (inguqulo endala, ngaphandle kokuba sengozini).
Ngesikhathi esifanayo, ngosizo lomphathi wephakeji yokwakha ngokwezifiso ye-DirectAdmin, empeleni, inguqulo entsha ye-Exim yabe isifakwa, eyayivele isengozini.
Kulesi simo, ukuvuselela nge-custombuild nakho kusizile.
Ungakhohlwa ukwenza izipele ngaphambi kokuhlolwa okunjalo, futhi uqinisekise ukuthi ngaphambi/ngemuva kokubuyekeza zonke izinqubo ze-Exim ezenguqulo endala.
Source: www.habr.com