Check your network for the zero-day vulnerability, and fix it now!

Introduction 

In the wake of Endpoint Central's remote code execution (RCE) vulnerability, the Endpoint Central team has developed a tool that will check if the vulnerability prevails in the server-installed machine. If found to be exploited, the tool will automatically delete the malicious files and services.

 

Related articles

 

How to use the tool? 

  1. Stop Endpoint Central service. 
  2. Download this zip folder and extract the files.
  3. Place vulnerabilityCleanup.bat in <ServerHome>/bin.
  4. Place vulnerabilityCleanUp.jar in <ServerHome>/lib.
  5. Open Command Prompt as Administrator, and navigate to <ServerHome>/bin.
  6. Run vulnerabilityCleanup.bat.
  7. Upon successful execution of this batch file, the results in Command Prompt will indicate whether your network has been exploited.

What should I do if my network has been exploited? 

  1. Disconnect the machine from your network. 
  2. Backup and restore:
    • If it is a virtual machine, down the machine, and restore the previous snapshot that is taken on or before March 5, 2020. The subsequent steps are not applicable for a virtual machine.
    • If it is a physical machine, make a copy of the scheduled backup (dbbackup) taken on or before March 5, 2020, and move this copy to another machine. Proceed with the subsequent steps mentioned below.
  3. Reinstall the operating system. 
  4. Install the Endpoint Central EXE (note: the build version of the new EXE file should be the same as that of your backed-up build version). Visit this link to procure the EXE for your build number. 
  5. Restore the backup, and start the server. It is highly recommended to restore the backup on the machine with the reinstalled operating system.
  6. Once the server is up and running, upgrade to the latest build, 10.0.479
  7. Change all the user names and passwords associated with the server-installed machine. 

What should I do if my network has not been exploited? 

It is highly recommended to upgrade to the latest build, 10.0.479

Best practices for further analysis

  1. Review the firewall logs for any unknown or unexpected IP addresses. It is highly recommended to scrutinize every firewall log from March 5, 2020 until you apply the fix. However, here are the IP addresses that we have spotted as of now: 
    • 3.0.19.24
    • 193.169.255.102
    • 171.25.193.78
    • 23.227.206.166
    • 66.42.98.220
    • 74.82.201.8
    • 91.208.184.78
  2. If you have a network audit tool, kindly use the tool to check if the malware has moved laterally to other server machines. 
  3. Change the passwords of the:
    • User/system accounts accessed from the machine 
    • Active Directory credentials if the server-installed machine is a part of AD or if AD is integrated with the Endpoint Central server
    • Any web accounts accessed from the server-installed machine

Contact Us

Should you have any further questions, please email dc-zeroday@manageengine.com or reach out to us using our toll-free number, +1-888-720-9500.