4

The GetPageSpeed repo has been hacked. Anyone with the repo installed will have malicious code installed on their box by yum update, including the file /etc/cron.d/sysstat2. I've notified GetPageSpeed, but it is 1am their time.

How do I warn people about this repo? Is there some way to warn anyone with the file /etc/cron.d/sysstat2 on their system that they have been compromised?

Specifics at CentOS 7 hacked and How did installing this RPM create a file?

As of 6/25/19, the malicious packages have been removed from the repo and new ones published that remove the cron job they installed.

Pascal
  • 493
  • 2
  • 11
  • 1
    Canonical made all recent Ubuntu installs phone home to fetch text snippets that are added to *motd* (displayed on logon). After inevitably more compromises of external / unsupported repositories happen, I expect this question to receive an additional answer that directs to the distro security teams to activate such mechanism. – anx Jun 25 '19 at 03:14

1 Answers1

2

There's no way to warn anyone with that file.. sorry.

If you are trying to reach other users of that repository directly, I would suggest looking at their website and see where other users may be active; mailing list, Twitter, Facebook. In this particular instance they have Twitter, Facebook, and GitHub.

It's a shame this wasn't known sooner. He was just active 3 hours ago.

Aaron Copley
  • 12,345
  • 5
  • 46
  • 67
  • I don't understand how I would warn anyone on that company's Twitter, Facebook, or GitHub pages. Don't they control what is posted there? – Pascal Jun 24 '19 at 23:02
  • It may have been figured out in time, had my original question not been "marked as duplicate by Michael Hampton". Is it the policy of StackExchange not to assist with hacks? Seems to me that any time a server is hacked the entire community has a vested interest in figuring out how so that other servers don't get hacked the same way. – Pascal Jun 24 '19 at 23:06
  • 3
    @Pascal I think you have to keep in mind what is actually possible to answer for other SE users. The "hacked" type of questions generally are either non-questions or questions that the community cannot answer as the solution tends to require a good amount of hands-on investigation to figure out. That's why pointing at the generically phrased question with good generic answers actually makes sense for the most part. If your intention was to post a specific solution on your own, I suggest that you add that as a comment on your closed question and I would think it can be reopened. – Håkan Lindqvist Jun 24 '19 at 23:37
  • Pointing at helpful info is always good, I'm just not sure about closing a question as a duplicate when it clearly is not. – Pascal Jun 24 '19 at 23:55
  • 2
    @Pascal You can visit [meta] if you have concerns about moderation. Keep in mind that while that malicious payload might say "its ok haha" right now, it could have been anything else at 7:07 am. You cannot know your system is not still compromised, and the only reasonable thing to do is to blow it away and rebuild it, which is why your question was marked as a duplicate. – Michael Hampton Jun 25 '19 at 03:01
  • From what I understand when you tweet at someone their followers can see it. That's what I meant. I am not a Tweeter, though, so.. – Aaron Copley Jun 25 '19 at 16:40
  • @MichaelHampton: I think it's a real hack. The payload website is owned by somebody else. Nobody playing a prank would risk that. I contacted the owners of the payload website but I don't actually expect a meaningful response. – joshudson Jun 25 '19 at 16:58
  • @joshudson I'm quite certain it's a real hack. That's the whole point! – Michael Hampton Jun 25 '19 at 17:20