Back in October 2017 DirectAdmin released version 1.52.1 with a cryptic message regarding a bug that could provide unauthorised access. The exact impact and access to what was unknown until today. To show the importance, DirectAdmin issued CVE-2017-18045. But what is this security bug really and what implications does it have?
Recently we have been seeing reports from clients complaining about processes that consume their entire processors with legitimate looking processes. To be specific, these clients manage their own servers and have their own policy on when to update. We always update within a few weeks or immediately, depending on the impact and security flaw. Before you continue, make sure that you update to DirectAdmin 1.52.1 first! All our managed servers are up-to-date.
The process names differ and so do the filenames. Be aware that you should make a backup before removing the files. If you are unsure, contact us for our management services via the chatbutton in the right bottom corner.
| /usr/sbin/userntectl |
| /usr/bin/chgae |
| /usr/sbin/eixm |
| /usr/bin/newrgp |
The md5sum of these files is 0fbee0805fae573d6f5c8745a9f63b27.
We have also found that these files try to mask the process by renaming the process to something like exim or Postfix. If you are unsure if the process is a normal server process, get the process id and run the following:
lsof -p {process_id}This will output something like this:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME postfix 3519 root cwd DIR 252,1 4096 2 / postfix 3519 root rtd DIR 252,1 4096 2 / postfix 3519 root txt REG 252,1 1425192 7857 /usr/local/bin/.~2DCEDVa (deleted) postfix 3519 root DEL REG 0,4 26121703 /dev/zero postfix 3519 root DEL REG 0,12 28281613 /anon_hugepage postfix 3519 root 0w FIFO 0,8 0t0 26121690 pipe postfix 3519 root 1w CHR 1,3 0t0 3851 /dev/null postfix 3519 root 2w CHR 1,3 0t0 3851 /dev/null postfix 3519 root 3r FIFO 0,8 0t0 17625961 pipe postfix 3519 root 4r FIFO 0,8 0t0 26121689 pipe postfix 3519 root 5u sock 0,6 0t0 26121337 can't identify protocol postfix 3519 root 6w FIFO 0,8 0t0 17625962 pipe postfix 3519 root 7u sock 0,6 0t0 26121702 can't identify protocol postfix 3519 root 8u REG 0,9 0 3847 [eventpoll] postfix 3519 root 9w FIFO 0,8 0t0 26121690 pipe postfix 3519 root 10r FIFO 0,8 0t0 28281611 pipe postfix 3519 root 11w FIFO 0,8 0t0 28281611 pipe postfix 3519 root 12r FIFO 0,8 0t0 28281612 pipe postfix 3519 root 13w FIFO 0,8 0t0 28281612 pipe postfix 3519 root 14u REG 0,9 0 3847 [eventfd] postfix 3519 root 15u REG 0,9 0 3847 [eventpoll] postfix 3519 root 16r FIFO 0,8 0t0 28281614 pipe postfix 3519 root 17w FIFO 0,8 0t0 28281614 pipe postfix 3519 root 18u REG 0,9 0 3847 [eventfd] postfix 3519 root 19r CHR 1,3 0t0 3851 /dev/null postfix 3519 root 20u IPv4 28285824 0t0 TCP clientserver.com:41234->203.24.188.226:https (ESTABLISHED)A normal Postfix installation does not connect to a https connection.
So far we can only see that the process was launched from a deleted file called /usr/local/bin/.~2DCEDVa. This shows already that the process is hiding something, so it is safe to kill it using kill -9 {process_id} and to do further research.
Every installation has in common that the /etc/rc.local has been updated with a random filename (check the list above). So far we have found that the file is always 831584 in size. If that is the case, make sure that you remove the file and remove the line from /etc/rc.local.
How to clean your server
As the file is encoded, it is unknown what the exact purpose of the file is nor what damage has been done. It is clear that looking at the timestamps of the files is no help as the file does modify the timestamp when it was last edited. As a security measure we recommend to reinstall the server and change all passwords on the server. Of course, it is possible that websites are hacked but so far we do not have any proof for this.
Updates and more information
Please let us know when you have more information about this problem.
Disclaimer
This blog is written for informative purposes only. We do not take any responsibilities for any damage or problems that arise because of this advice. Use a professional if you are unsure and always keep backups.