Last update at :2024-03-25,Edit by888u
PS: Following the OneinStack one-click package being poisoned, LNMP.ORG Jun’s one-click package was also poisoned. If there are any webmasters who use this program and Enterprises should immediately check whether they have been infected.
Event Announcement
Recently, Anheng Information CERT detected a supply chain poisoning attack on LNMP. We found that malicious programs were implanted in the installation package downloaded from the official lnmp.org website. To date, most threat intelligence platforms have not flagged relevant malicious IoC intelligence. It is recommended that RedHat system users who have recently downloaded and deployed LNMP on the lnmp.org official website conduct self-examination.
Event analysis
The LNMP one-click installation package is written in Linux Shell and can install LNMP (Nginx/MySQL/PHP), LNMPA (Nginx/MySQL/PHP/Apache), LAMP (Apache) for CentOS/Debian/Ubuntu, etc. or independent hosts. /MySQL/PHP) Shell program for production environment.
The downloaded installation program is inconsistent with the MD5 value of the official website
In the installation program (lnmp2.0.tar.gz, 40bdcf7fd65a035fe17ee860c3d2bd6e) downloaded from the lnmp.org official website, lnmp2.0\include\init.sh was implanted with malicious code by the attacker.
Comparison of poisoned files and normal installation files
Among them, lnmp.sh is an implanted malicious binary program. After execution, it will first determine whether the system is a RedHat server, then download and decompress the malicious file from download.lnmp.life to /var/local/cron, and serve it through crond Achieve persistence.
Malicious commands executed by lnmp.sh
Establish DNS tunnel communication through the crond process.
Establishing DNS tunnel communication through the crond process
Self-examination methods
1. Check whether the MD5 value of the downloaded installer file is consistent with the official website
File name: lnmp2.0.tar.gz
Normal file MD5:
1236630dcea1c5a617eb7a2ed6c457ed
Poisoned file MD5:
40bdcf7fd65a035fe17ee860c3d2bd6e
2. Check the integrity of the /usr/sbin/crond file and check whether the /usr/sbin/crond file has been changed recently:
stat /usr/sbin/crond
rpm -Vf /usr/sbin/crond
Check the integrity of the /usr/sbin/crond file through rpm
IoC
The malicious domain name was registered at 2023-08-28 13:43:27. It cannot be ruled out that the official installation package was poisoned as early as August.
| lnmp.site | |
| download.lnmp.life | |
| 123.56.51.37 | |
| 47.243.127.139 | |
| 9cb3c03bbdb49f17e6a0913c7c6896b2 | |
| libad | 98d3136d5c60c33c1a829349e2040221 |
| install< /td> | c55a7752011a6c0ddc6eedb65e01af89 |
| cr.jpg | 391547bd2be60733ff1136b277648ef4 |
| s.jpg< /td> | 61ad56eec18a2997f526c19b4f93958c |
| libseaudit.so.2.4.6 | 76f524d8a6900f4dd55c10ddaffea52d |
| lnmp.sh | d5f083ae4ff06376b7529a977fa77408 |
| lnmp2.0.tar.gz | 40bdcf7fd65a035fe17ee860c3d2bd6e |
Anheng Information CERT September 2023
This article is reprinted to: https://mp.weixin.qq.com/s/OT7C1l5rjBNCawFXRIUJOQ
Recommended site search: foreign servers, Hong Kong cn2 server, website registration domain name query, high defense server, international domain name, registration center, Taiwan server rental, dual line dual IP, anti-check IP, mainland China registration-free host,
p>
发表评论