Back in October 2017 DirectAdmin released version 1.52.1 with a cryptic message regarding a bug that could provide unauthorised access. The exact impact and access to what was unknown until today. To show the importance, DirectAdmin issued CVE-2017-18045. But what is this security bug really and what implications does it have?
Recently we have been seeing reports from clients complaining about processes that consume their entire processors with legitimate looking processes. To be specific, these clients manage their own servers and have their own policy on when to update. We always update within a few weeks or immediately, depending on the impact and security flaw. Before you continue, make sure that you update to DirectAdmin 1.52.1 first! All our managed servers are up-to-date.
The process names differ and so do the filenames. Be aware that you should make a backup before removing the files. If you are unsure, contact us for our management services via the chatbutton in the right bottom corner.
The md5sum of these files is 0fbee0805fae573d6f5c8745a9f63b27.
We have also found that these files try to mask the process by renaming the process to something like exim or Postfix. If you are unsure if the process is a normal server process, get the process id and run the following:
lsof -p {process_id}
This will output something like this:
A normal Postfix installation does not connect to a https connection.
So far we can only see that the process was launched from a deleted file called /usr/local/bin/.~2DCEDVa. This shows already that the process is hiding something, so it is safe to kill it using kill -9 {process_id}
and to do further research.
Every installation has in common that the /etc/rc.local has been updated with a random filename (check the list above). So far we have found that the file is always 831584 in size. If that is the case, make sure that you remove the file and remove the line from /etc/rc.local.
How to clean your server
As the file is encoded, it is unknown what the exact purpose of the file is nor what damage has been done. It is clear that looking at the timestamps of the files is no help as the file does modify the timestamp when it was last edited. As a security measure we recommend to reinstall the server and change all passwords on the server. Of course, it is possible that websites are hacked but so far we do not have any proof for this.
Updates and more information
Please let us know when you have more information about this problem.
Disclaimer
This blog is written for informative purposes only. We do not take any responsibilities for any damage or problems that arise because of this advice. Use a professional if you are unsure and always keep backups.