Britt Adams1709156619 Posted November 7, 2023 Share Posted November 7, 2023 Downloading the configuration backup is blocked by Microsoft Defender as containing a virus of Backdoor:PHP/Chopper.E!dha. Has anybody else run into this? Link to comment Share on other sites More sharing options...
CarlStalhood Posted November 7, 2023 Share Posted November 7, 2023 It's possible that you backed up an older appliance that was vulnerable and had Indicators of Compromise. Link to comment Share on other sites More sharing options...
CarlStalhood Posted November 7, 2023 Share Posted November 7, 2023 See https://github.com/citrix/ioc-scanner-CVE-2019-19781/ 1 Link to comment Share on other sites More sharing options...
Britt Adams1709156619 Posted November 7, 2023 Author Share Posted November 7, 2023 30 minutes ago, Carl Stalhood1709151912 said: It's possible that you backed up an older appliance that was vulnerable and had Indicators of Compromise. Seems kind of odd being the VPX was setup from scratch a year ago with the most recent 13.0 appliance version at that time. Link to comment Share on other sites More sharing options...
Jens Ostkamp Posted November 9, 2023 Share Posted November 9, 2023 On 11/7/2023 at 10:28 PM, Britt Adams1709156619 said: Seems kind of odd being the VPX was setup from scratch a year ago with the most recent 13.0 appliance version at that time. So was it updated since then? There have been four major security vulnerabilities within the last months and if you recently backed up your NetScaler without having these CVEs mitigated, there is a high possibility that you have been compromised on that appliance. The mentioned .php Files from Defender Screenshot are looking odd aswell. Manipulated php-files have been used to steal credentials after compromising an appliance. You maybe want to look into these mentioned php-files and search for some odd code. Link to comment Share on other sites More sharing options...
Britt Adams1709156619 Posted November 9, 2023 Author Share Posted November 9, 2023 1 hour ago, Jens Ostkamp said: Yes we have been very diligent on updating and have updated the appliance as quickly as possible when the releases have come out. The file look like Campaign #3 from https://www.shadowserver.org/news/technical-summary-of-observed-citrix-cve-2023-3519-incidents/ Which was July of this year. File dates were in August. Ultimately Citrix support said they do not care, not their problem. I am building a new VPX for now and looking for a replacement of the entire Citrix platform. Link to comment Share on other sites More sharing options...
Jens Ostkamp Posted November 22, 2023 Share Posted November 22, 2023 On 11/9/2023 at 3:55 PM, Britt Adams1709156619 said: Yup, Citrix support has been incredibly disappointing recently, unfortunately. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now