Re: [exim-dev] Remote root vulnerability in Exim

Top Pagina
Delete this message
Reply to this message
Auteur: Ted Cooper
Datum:  
Aan: exim-dev
Onderwerp: Re: [exim-dev] Remote root vulnerability in Exim
On 08/12/10 18:58, Patrick Cernko wrote:
> I can fully understand why you do not want to publish details of the
> attack and support it too. But maybe you could publish extracts from the
> logs which might indicate the attack? That way, administrators (like me)
> might have a chance to check if their systems are attacked already.


You can check out the spool directory for strange files like e.conf or
setuid.

Also, when that e.conf was run, I got a message in my log file that the
queue had been run when I normally have that turned off. That's only if
the attacker runs it with -q though.

eg
2010-12-09 12:03:46 Start queue run: pid=4010
2010-12-09 12:03:46 End queue run: pid=4010