Open zazy opened 3 years ago
andreashaerter
commented
3 years ago Following the contribution guide, I think you should send your message by email to security@taiga.io (especially as taiga-front-issues are not always getting reviewed in a timely manner).
zazy
commented
3 years ago Thankyou for pointing it out. I missed it completely! Will send them an email.
bameda
commented
3 years ago Hi @zazy
It is very difficult to diagnose what could be the problem with the information you have given us. We don't fully know your system configuration and you are using Apache which is a web server that we do not usually use.
This is the first notification we receive of an attack like this of all the instances (thousands) that are installed of Taiga. So it doesn't seem like a problem with the Taiga app but with the server configuration (maybe a privilege escalation via apache?).
I recommend you check the logs of the machine and Apache to see if, according to the creation date of the strange files, you can obtain more information about how the attack occurred and what has been the entrance way. Of course, If you achieve to identify any security issue regarding Taiga itself, please do not forget to forward us the information.
I am sorry I cannot be of more help
Best regards
zazy
commented
3 years ago Hi @bameda
thank you for your reply and suggestions.
I know this is really difficult to diagnose and we are trying to investigate it on our server. I think it's somehow related to Taiga because on this server we have 35 sites (mixed between Wordpress, Magento and other PHP applications and REST API servers) but none of them was compromised. I think it's not an Apache vulnerabilities beacuse it's running under www-data:www-data and all files were created with user taiga:taiga we used to let Taiga.io run. A privilege ascalation is unlikely to attack a simple user instead of root.
Maybe it's not directly related to Taiga itself but to some library. I'm reading these days about crypto injected in some opensource npm packages like UAParser.
Furthermore this "virus" is a little bit smart and not taking over all CPU. It also tried to attack other servers via outgoing ssh connections but it was not too aggressive and it took some time to understand that something was wrong on the server. To be honest we discovered it when we found our own IP address in the fail2ban log of another server we have.
We are continuing investigating and be sure I will post any relevant result here. I will post even if there is no results at all so you know investigation finished. If we found nothing we will try to activate VPS again to monitor more closely the activity and try to catch the problem.
bameda
commented
3 years ago Thank you, we will be waiting for your inquiries.
Describe the bug I installed Taiga on a VPS following the guide and using a non privileged user account named taiga. Taiga user account is not able to login via ssh nor FTP and is only available to root via su. Database engine is not exposed to external connections. Apache web server installed on ubuntu server 20.04.2 The VPS hosting taiga had been infected with a crypto mining virus that started to attack lots of other servers. The virus was not identified nor locked by ClamAV. I'm sure infection came in through taiga because all files are owned by taiga user account. I found several scripts in /tmp folder containing cirus upgrade/update instructions. I also found in taiga user account home directory the whole virus scripts and executables. Furthermore all cron actions had been saved in the taiga user account crontab. Server had been now isolated to better investigate on the instance image. On my taiga instance sign-up is idsabled and all projects was private. Really I don't know how this happened. Here to find ideas
Let me know if there is any information you need to investigate how this could be happen. Server is no longer running so I can provide you with logs and config files only. I preserved virus files if it can be useful.