Saturday, March 12, 2005, 3:14:55 PM, Peter Bowyer wrote:
> On Sat, 12 Mar 2005 13:05:26 +0000, Subhi S Hashwa <lists@???> wrote:
>> Hello exim-dev,
>>
>> I am not a programmer, so I could be talking out of my backside
>> here, going through my logfiles, I notice my /etc/group and
>> /etc/services in the logfile as rejected input.
>> A stripped version of the log entry is attached.
>>
>> Asking few people for advice they suggested it could be a buffer
>> overflow exploit, since I am using Exim 4.50 I thought you guys
>> might be interested in having a look.
>>
>> OS: FreeBSD 4.10-RELEASE-p2
>>
>> So, what happened there ? any suggestions and ideas are welcome.
> What led you to consider it might be a buffer overflow in Exim?
> Looks more like your machine was already compromised, and the rootkit
> was busy trying to email your group and passwd files to somewhere -
> fortunately for you, the script doing the mailing wasn't written to
> speak properly synchronised SMTP, and Exim is clever enough to stop it
> in its tracks.
Are you sure?
from the log file
rejected connection from H=[81.60.208.97] input=<blah>...
looks like an incoming connection not outgoing.
--
Best regards,
Subhi S Hashwa mailto:lists@subhi.com
When everything is heading your way, you're in the wrong lane.