Hi All,
I believe that a number of people on this list are running Trixbox and I
haven't seen any mention of this on the list, but there is a remote
exploit doing the rounds, for all versions of Trixbox upto and including
the latest (2.6.1).
I believe there is a bot running and automatically exploiting vulnerable
boxes.
See more details here
http://trixbox.org/forums/trixbox-forums/open-discussion/critical-remote-root-exploit-trixbox-wild
As of now, there is no update from Fonality correcting the problem.
If running Trixbox, you are only vulnerable if your box is directly on
the internet and port 80 or 443 is exposed.
The problem is in the file /var/www/html/user/index.php
A quick workaround (if you haven't been infected) is to rename this file
until a fix becomes available.
One way to check whether you have been "infected" by this particular bot
is to run the following command
netstat -tuna | grep 6667
if you get a result, it means that your box has made an irc (port 6667)
connection to a server (a typical method of controlling bots)
In my research, I also found a process called httpdse (ps aux | grep
httpdse) which appeared to belong to the bot. There was also a file in
/tmp called .k and variations thereof which contained the executable code.
Hope this helps
Martin
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
