Is this exploit still i thing? CVE-2013-3632

  • Hi there


    I just had my crontab for my main non-root user replaced with something that is installed a miner on my server. I saw there were 2 HTTP post commands in my nginx logs at the exact same time that the syslog showed the crontab being replaced. Nothing in my ssh logs either to show entry into my server


    I found this exploit online, so curious if this was this has been fixed? I'm leaning towards this was the point of entry. I disabled port 80 from the outside, reset my passwords and ran rootkit scanners and found nothing so hopefully i mitigated it. I have a website on 443 but nothing happened with that from what i can see in the logs.


    Using OMV 3.0.96


    https://www.cvedetails.com/cve/cve-2013-3632 - The Cron service in rpc.php in OpenMediaVault allows remote authenticated users to execute cron jobs as arbitrary users and execute arbitrary commands via the username parameter.


    Cheers!

    • Offizieller Beitrag

    Pretty sure this has been fixed but just another reason why I wouldn't expose the OMV web interface to the internet. I would change all of your passwords on the machine and the username that had its crontab replaced at minimum. And if they were a good hacker, they would've cleaned up their logs...

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Thanks subzero79 for that page. Looking at the bug report on that page it says it wouldnt be fixed. Guess that still brings be back to my question....... I think this is still exploitable if you dont lock down your webpage. And how did they get in if i had changed those login accounts on the webpage?


    And your right ryecoaaron, I should't have had that exposed it to the internet if i didnt have least a second login (htpassword) so thats my mistake and been corrected.


    Just thought i would ask....but no worries ill just hope it wont happen again


    Cheers!

  • Thanks for the update voltdev....but they didnt use root cron (unless i misunderstand what your are saying). It was a regular user that had their cron replaced.
    I'm just concerned how they got past the login on the WebUI to do this if this isnt an exploit/problem. The admin login password was not the default

    • Offizieller Beitrag

    I'm just concerned how they got past the login on the WebUI

    Is your password too simple?

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!