Posts Tagged ‘Security’

Zimbra < 8.0.6 Web Exploit, Bitcoin Slavery and Securing /tmp/

You may have noticed a bitcoin miner chugging along on your Zimbra server.

Doing a little searching, it seems you’re not cool if you haven’t.

A serious vulnerability (CVE-2013-7091) in the administration web interface was patched with the release of version 8.0.6. It was subsequently discovered and a PoC was crafted then released by rubina119 and marketed as 0day. While there has been some argument over whether that stretches the definition, I’m sad to say it was 0dh3y enough for me and countless other lazy buggers that never update their Zimbra. Go team!

If you were like me, you might have seen something like this:

top - 17:56:57 up 93 days, 15:06,  1 user,  load average: 6.09, 5.90, 5.87
  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 4489 zimbra    20   0  458m 2184  920 S 255.4  0.1   7731:52 minerd64

And you may have found this:

# lsof -i | grep minerd64
minerd64  4489  zimbra    4u  IPv4 47747967      0t0  TCP localhost:65535->193.0.202.101:domain (ESTABLISHED)

# whois 193.0.202.101
% This is the RIPE Database query service.
...
org-name:       MediaServicePlus Ltd.
org-type:       LIR
address:        Novorogozhskaya 32c3, 212
address:        109029
address:        Moscow
address:        RUSSIAN FEDERATION
...
Well, OBVIOUSLY Russia. Right?

Well, OBVIOUSLY Russians. Right?

Then this:

# ls /tmp/
1  a  b  meep.pl  minerd32  minerd32.1  minerd32.2  minerd32.3  minerd32.4  minerd64  minerd64.1  minerd64.2  minerd64.3  xd.pl

And three of these things are not like the others:

# ls -lsah /opt/zimbra/zimlets-deployed/
total 84K
4.0K drwxr-xr-x. 21 zimbra zimbra 4.0K Jan 21 01:34 .
4.0K drwxr-xr-x. 51 zimbra zimbra 4.0K Aug 18 15:59 ..
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_adminversioncheck
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_attachcontacts
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_attachmail
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_bulkprovision
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_cert_manager
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_clientuploader
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_date
4.0K drwxr-x---.  4 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_email
4.0K drwxr-x---   2 zimbra zimbra 4.0K Jan 21 01:34 com_zimbra_email_dns
4.0K drwxr-x---   2 zimbra zimbra 4.0K Dec 28 05:26 com_zimbra_example_simplejspaction
4.0K drwxr-x---   2 zimbra zimbra 4.0K Dec 31 16:37 com_zimbra_example_simplejspaction2
4.0K drwxr-x---.  4 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_phone
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_proxy_config
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_srchhighlighter
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_tooltip
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_url
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_viewmail
4.0K drwxr-x---.  2 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_webex
4.0K drwxr-x---.  3 zimbra zimbra 4.0K Jan  9  2013 com_zimbra_ymemoticons

This is the order in which I recommend fixing things:

  • Locate and delete any unusual zimbra admin accounts.
  • Stop zimbra.
  • killall minerd(32|64)
  • Clear /tmp/
  • Mount /tmp/ with tmpfs, nodev,nosuid,noexec to prevent any future executables from running in your /tmp/ directory
  • Delete the bad zimlets
  • Make a backup
  • Download 8.0.6
  • Do an upgrade. Don’t forget install.sh’s annoying flags like –platform-override and -x.
  • Reset your LDAP and MySQL passwords.
  • Restart zimbra.
  • Check for any additional gifts that may have been left behind.

Obviously, you should have your admin interface listening on a private IP or restricted port wherever possible. Where it isn’t, you might like to add some additional layer of security, for example HTTP auth.

This whole thing has me interested in Bitcoin mining again; I’ve got all sorts of servers that are mostly unused I’m not paying the hydro for. :p

At least we found something cute this time like hash crunching instead of something destructive like spamming or DoS. Right guys?

o/~ You’ve got to e-li-minate the negative… o/~

Download: 32 & 64-bit Xen Paravirtualized domU initrd-free Monolithic Kernel 3.10.17

This is a significant step up from the drop-in kernels I have posted previously. Thanks to a massive cleanup this is the first Xen PV kernel I’ve been able to build with heap randomization and stack smashing protection. Other improvements include:

  • EXT4 support
  • NFS4 support
  • Full-range IPSec support (untested)
  • Head-to-toe netfilter and crypto
  • Per-process i/o stats (see iotop)!
  • dmesg_restrict

Download
kernel-domU-3.10.17-32 739ca0128e68b33164fdccc66bd53bb8 (.config)
kernel-domU-3.10.17-64 0e59bba671893715b04a16f7ee8edb3a (.config)

As always, these kernels are monolithic (lack loadable module support) for security and do not require an initrd to boot a Xen virtual machine.

Your udev or other parts of userland may require upgrading or downgrading to play ball with this kernel version. I’m migrating from 3.2.12 without any issues.

Compiled from gentoo-sources-3.10.17

More Fun with DNS Amplification Attacks: pkts.asia and babywow.co.uk

I recently intercepted some DNS amplification attacks using the domains pkts.asia and babywow.co.uk involving a server which has recursion disabled but is, for some reason, returning the list of root name servers. I suppose that will be the topic of my next article :p

Big thanks to this really sweet site http://dnsamplificationattacks.blogspot.ca/ for providing a list of iptables rules which cover these attacks at https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist-string.txt.

You can find more information on these two specific domains at:
http://dnsamplificationattacks.blogspot.ca/2013/10/domain-pktsasia.html
http://dnsamplificationattacks.blogspot.ca/2013/10/domain-babywowcouk.html

I found that I had to drop the –start and –stop flags to get these rules to work. I’m not sure if I’m not taking into account an offset or perhaps I’m seeing a different strain of the attack but the start and stop positions appear to be different when we crack open the packets:

pkts.asia
00163ebb000300163ecd000208004500
00476dd90000f8114fa44c670d3c0000
0000fd5900350033000095b201000001
00000000000104706b74730461736961
0000ff00010000292328000000000000
0000000000

The string we are blocking for appears to be between 36 and 40 rather than 40 and 51.

babywow.co.uk
00163ebb000300163ecd000208004500
004b9e0c0000f8110d4dd0729b500000
0000a216003500370000c1ff01000001
0000000000010762616279776f770263
6f02756b0000ff000100002923280000
000000000000000000

The string we are blocking for appears to be between 36 and 44 rather than 40 to 55.

You should note that not using –start and –stop will make netfilter inspect the whole packet which will have a (probably negligible) performance hit.

ClearOS seems to have trouble with the comment formatting so I’ve made a couple of minor edits to the list which will drop these rules into FORWARD on your router:

#!/bin/bash
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|1b323031336e69616e636875616e7169736966756661627577616e67076164736634327703636f6d|' -j DROP # -m comment "DROP DNS Q 2013nianchuanqisifufabuwang.adsf42w.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|077375636b64646702636300|' -j DROP # -m comment "DROP DNS Q suckddq.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076e61706966756e03636f6d|' -j DROP # -m comment "DROP DNS Q napifun.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0768616b34756d7a036e6574|' -j DROP # -m comment "DROP DNS Q hak4umz.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|06616e6f6e736303636f6d00|' -j DROP # -m comment "DROP DNS Q anonsc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0331783102637a0000ff0001|' -j DROP # -m comment "DROP DNS Q ANY 1x1.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|056266686d6d03636f6d000010000100|' -j DROP # -m comment "DROP DNS Q TXT bfhmm.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|03697363036f72670000ff00|' -j DROP # -m comment "DROP DNS Q ANY isc.org dns.id"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|076564656c696f6e02737500|' -j DROP # -m comment "DROP DNS Q edelion.su"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0432736f65027275|' -j DROP # -m comment "DROP DNS Q 2soe.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0472697065036e657400|' -j DROP # -m comment "DROP DNS Q ripe.net"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0968697a62756c6c6168026d6500|' -j DROP # -m comment "DROP DNS Q hizbullah.me"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|11657667656e69792d6d61726368656e6b6f02636300|' -j DROP # -m comment "DROP DNS Q evgeniy-marchenko.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057372766974036f726700|' -j DROP # -m comment "DROP DNS Q srvit.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|046a756e6b087468657977616e7402696e00|' -j DROP # -m comment "DROP DNS Q junk.theywant.in"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0374787408707773657276657203636f6d02756100|' -j DROP # -m comment "DROP DNS Q txt.pwserver.com.ua"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0469657466036f726700|' -j DROP # -m comment "DROP DNS Q ietf.org"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0371686102636300|' -j DROP # -m comment "DROP DNS Q qha.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|066c61326c6f7702636300|' -j DROP # -m comment "DROP DNS Q la2low.cc"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|057a7a67737403636f6d00|' -j DROP # -m comment "DROP DNS Q zzgst.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|01610B7061636b6574646576696c03636f6d00|' -j DROP # -m comment "DROP DNS Q a.packetdevil.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0778706c6f64696e03636f6d00|' -j DROP # -m comment "DROP DNS Q xplodin.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0261610661736433736303636f6d00|' -j DROP # -m comment "DROP DNS Q aa.asd3sc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0962697473747265737303636f6d00|' -j DROP # -m comment "DROP DNS Q bitstress.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|026161066d6d7461633103636f6d00|' -j DROP # -m comment "DROP DNS Q aa.mmtac1.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0C6b696464793332333336353502727500|' -j DROP # -m comment "DROP DNS Q kiddy3233655.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05643639393103636f6d00|' -j DROP # -m comment "DROP DNS Q d6991.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0661613332343703636f6d00|' -j DROP # -m comment "DROP DNS Q aa3247.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08666b666b666b666103636f6d00|' -j DROP # -m comment "DROP DNS Q fkfkfkfa.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A677261707079626c6f6703636f6d00|' -j DROP # -m comment "DROP DNS Q grappyblog.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05636d69756903636f6d00|' -j DROP # -m comment "DROP DNS Q cmiui.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05346677686b03636f6d00|' -j DROP # -m comment "DROP DNS Q 4fwhk.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0673616e64696103676f7600|' -j DROP # -m comment "DROP DNS Q sandia.gov"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A7a61696b617061696b6103636f6d00|' -j DROP # -m comment "DROP DNS Q zaikapaika.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|08766572697369676e03636f6d00|' -j DROP # -m comment "DROP DNS Q verisign.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0473656d6102637a00|' -j DROP # -m comment "DROP DNS Q sema.cz"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|04706b7473046173696100|' -j DROP # -m comment "DROP DNS Q pkts.asia"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0A69726c77696e6e696e6703636f6d00|' -j DROP # -m comment "DROP DNS Q irlwinning.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|053337397a6303636f6d00|' -j DROP # -m comment "DROP DNS Q 379zc.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333630383804696e666f00|' -j DROP # -m comment "DROP DNS Q 36088.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|067478743430390874656b6a65746f6e03636f6d00|' -j DROP # -m comment "DROP DNS Q txt409.tekjeton.com"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0D73757065726d65676174727565056d6364697202727500|' -j DROP # -m comment "DROP DNS Q supermegatrue.mcdir.ru"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333032353904696e666f00|' -j DROP # -m comment "DROP DNS Q 30259.info"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|0762616279776f7702636f02756b00|' -j DROP # -m comment "DROP DNS Q babywow.co.uk"
iptables --insert FORWARD -p udp --dport 53 -m string  --algo bm --hex-string '|05333633373204696e666f00|' -j DROP # -m comment "DROP DNS Q 36372.info"
Return top
foxpa.ws
Online Marketing Toplist
Internet
Technology Blogs - Blog Rankings

Internet Blogs - BlogCatalog Blog Directory

Bad Karma Networks

Please Donate!


Made in Canada  •  There's a fox in the Gibson!  •  2010-12