Re: [PLUG] Malware Webshell Infection. - Advice Needed

brent saner via plug on 4 Sep 2023 11:40:23 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Malware Webshell Infection. - Advice Needed

From: brent saner via plug <plug@lists.phillylinux.org>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Subject: Re: [PLUG] Malware Webshell Infection. - Advice Needed
Date: Mon, 4 Sep 2023 14:40:07 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1693852818; x=1694457618; darn=lists.phillylinux.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=s/UUuhWz2o7EKXUR9V8wQIXW8GJ1XD8UW6hn8R59M2E=; b=nN+/zQupavD8ZndHWoi6Vsepe8U+5ntl3JOQpM4lMgSieSDxU4gzHJhG0MQz4F8d4W EMqskNxQXHpYPcEk3YJCuV1ZSTgD2kB0pLNGBONnF2SgGADoV1LRIJOq3H2CMdmB8+me ImwSBz69hC3nh5R5jar3CQ5sYLhJvpjsjI7n4Sx5pgarShwkUvCBuvqNapMRFnSgY0IJ erXSJMkc5oJDK9bgkdmwcTEUGEbNCTzMPTOsr5nkyuNktAux/SAix7Sb0bSKQcQhuqDt JLV99La6OBE4DqThgIv7lM6rczirFg+oQnnQSfcQ/J5k3ZR7OP9+boW78u0zHetCV5pL KkHA==
Reply-to: brent saner <brent.saner@gmail.com>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Mon, Sep 4, 2023 at 11:34 AM Casey Bralla via plug <plug@lists.phillylinux.org> wrote:

(SNIP)

As some have mentioned, I have had a passwordless rsync daemon running on the compromised server.

AAAAAnd there's your problem.

(I have my public key stored in the .ssh/authorized_keys file.)

That's great and all, but the rsync daemon does not use SSH. Whatsoever.

When you do

rsync my/local/path/. someuser@somehost:/some/path/.

It uses an SSH tunnel, and spawns rsync on the remote, and uses that for the file transfer - essentially tunneling the RSYNC protocol over SSH. Which is the "right" way to do this for your use case.

The rsync daemon, on the other hand, uses the RSYNC protocol (rsync://) with no SSH tunneling whatsoever. Because you disabled authentication/authorization in the rsync daemon config, it is indeed wide open to the entire world. (Or whatever the firewall to port 873 allows.) From recollection, you CAN do TLS authentication/authorization/tunneling for rsync --daemon, but you are not doing that here.

Don't run rsyncd/rsync --daemon unless you know what you're doing, why you're doing it, and why you would need it instead of just plain ol' SSH-tunneled RSYNC. You do not need the rsync daemon to run to use RSYNC over SSH whatsoever.

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] Malware Webshell Infection. - Advice Needed
  - From: brent saner via plug <plug@lists.phillylinux.org>

References:
- [PLUG] Malware Webshell Infection. - Advice Needed
  - From: Casey Bralla via plug <plug@lists.phillylinux.org>
- Re: [PLUG] Malware Webshell Infection. - Advice Needed
  - From: Isaac Bennetch via plug <plug@lists.phillylinux.org>
- Re: [PLUG] Malware Webshell Infection. - Advice Needed
  - From: Casey Bralla via plug <plug@lists.phillylinux.org>

Prev by Date: Re: [PLUG] Malware Webshell Infection. - Advice Needed
Next by Date: Re: [PLUG] Malware Webshell Infection. - Advice Needed
Previous by thread: Re: [PLUG] Malware Webshell Infection. - Advice Needed
Next by thread: Re: [PLUG] Malware Webshell Infection. - Advice Needed
Index(es):
- Date
- Thread