Re: [exim] Re: [exim-dev] buffer overflow?

Top Page
Delete this message
Reply to this message
Author: Subhi S Hashwa
Date:  
To: Peter Bowyer, Exim Users Mailing List, peter
CC: 
Subject: Re: [exim] Re: [exim-dev] buffer overflow?
Saturday, March 12, 2005, 3:14:55 PM, Peter Bowyer wrote:

> On Sat, 12 Mar 2005 13:05:26 +0000, Subhi S Hashwa <lists@???> wrote:
>> Hello exim-dev,
>>
>> I am not a programmer, so I could be talking out of my backside
>> here, going through my logfiles, I notice my /etc/group and
>> /etc/services in the logfile as rejected input.
>> A stripped version of the log entry is attached.
>>
>> Asking few people for advice they suggested it could be a buffer
>> overflow exploit, since I am using Exim 4.50 I thought you guys
>> might be interested in having a look.
>>
>> OS: FreeBSD 4.10-RELEASE-p2
>>
>> So, what happened there ? any suggestions and ideas are welcome.


> What led you to consider it might be a buffer overflow in Exim?


> Looks more like your machine was already compromised, and the rootkit
> was busy trying to email your group and passwd files to somewhere -
> fortunately for you, the script doing the mailing wasn't written to
> speak properly synchronised SMTP, and Exim is clever enough to stop it
> in its tracks.


Are you sure?
from the log file
rejected connection from H=[81.60.208.97] input=<blah>...

looks like an incoming connection not outgoing.

-- 
Best regards,
 Subhi S Hashwa                            mailto:lists@subhi.com
 When everything is heading your way, you're in the wrong lane.