January 28, 2014 at 5:01 pm #43834
Hello, can we get any details on this? I’d like to know if there is any way to apply the profile fixes without upgrading.
Also, does closing the web access block the issue?January 28, 2014 at 7:15 pm #53145
On YouTube you can find a video that illustrates how to gain access to Zeroshell without knowing the admin’s password. Surely, if you restrict the http access you mitigate the issue.
FulvioJanuary 28, 2014 at 8:13 pm #53146
all versions of Zeroshell older than release 2.0.RC3 are vulnerable because of the possibility to execute code remotely via the web interface
in a non-authenticated mode. This well-documented vulnerability has been exploited to introduce an executable within the profiles that make connections to some DNS with the aim of producing a DDoS resulting bandwidth consumption.
Even the release 2.0.RC3 may be subject to the attack if the configuration profile comes from a previous version already compromised. The release 3.0.0 is able to detect a compromised profile and clean it. It is recommended, in view of the gravity of the problem, to migrate as soon as possible to release 3.0.0 to be sure that Zeroshell is not running a compromised profile.
Thank you for the information.January 29, 2014 at 11:37 am #53147
I can confirm that the details outline in th video on youtube allows full access to the zeroshell, the only protection for this attacks other than updating is closing the web access except for your whitelisted ips.
Other than that, could someone explain how to identify the traces of the exploits intalled?January 29, 2014 at 12:28 pm #53148
Other than that, could someone explain how to identify the traces of the exploits intalled?
Check manually. Connect to SFTP and watch the files in subfolders in /DB
Run through the SSH command ps -ax and see if there is anything running from /DB whether subfolders.
PS Access SFTP can include changing the shell. Connect to SSH and run chsh, enter /bin/bash
PS2 Return shell back chsh and enter /root/kerbynet.cgi/scripts/localman or simply reboot zeroshell router.February 12, 2014 at 11:29 am #53149
We observed that there is a hidden process (only shows upw when doing top) that’s called .DB.001
This process is launched by the Database-Cron (Startup Cron -> Cron Database)
You can see if you are affected by doing:
You must be logged in to reply to this topic.