Re: [exim] Re: [exim-dev] buffer overflow?

On Sat, 12 Mar 2005 15:37:15 +0000, Subhi S Hashwa <lists@???> wrote:
> Saturday, March 12, 2005, 3:14:55 PM, Peter Bowyer wrote:
>
> > On Sat, 12 Mar 2005 13:05:26 +0000, Subhi S Hashwa <lists@???> wrote:
> >> Hello exim-dev,
> >>
> >> I am not a programmer, so I could be talking out of my backside
> >> here, going through my logfiles, I notice my /etc/group and
> >> /etc/services in the logfile as rejected input.
> >> A stripped version of the log entry is attached.
> >>
> >> Asking few people for advice they suggested it could be a buffer
> >> overflow exploit, since I am using Exim 4.50 I thought you guys
> >> might be interested in having a look.
> >>
> >> OS: FreeBSD 4.10-RELEASE-p2
> >>
> >> So, what happened there ? any suggestions and ideas are welcome.
>
> > What led you to consider it might be a buffer overflow in Exim?
>
> > Looks more like your machine was already compromised, and the rootkit
> > was busy trying to email your group and passwd files to somewhere -
> > fortunately for you, the script doing the mailing wasn't written to
> > speak properly synchronised SMTP, and Exim is clever enough to stop it
> > in its tracks.
>
> Are you sure?
> from the log file
> rejected connection from H=[81.60.208.97] input=<blah>...
>
> looks like an incoming connection not outgoing.

No, I'm not sure - nor could anyone be from the log snippet you
posted. All it shows is an attempt to mail the contents of a passwd
file. I made an intelligent guess, that's all.

And I've no way of knowing whether that's one of your IPs or not.

Have you scanned your server for any other signs of intrusion (rootkits etc) ?

(Sorry, I accidentally redirected this thread to the -users list - but
I think it's probably OK there anyway)

Peter
--
Peter Bowyer
Email: peter@???
Tel: +44 1296 768003
VoIP: sip:peter@???