Re: [exim-dev] Remote root vulnerability in Exim

Top Page
This message is part of the following thread:
M---+-+--+\the complete thread tree sorted by date
M+\.M\M..MMPatrick Cernko at <-
MMM\MMMM.MMTed Cooper at ->
Delete this message
Reply to this message
Author: Ted Cooper
Date:  
To: exim-dev
Subject: Re: [exim-dev] Remote root vulnerability in Exim
On 08/12/10 18:58, Patrick Cernko wrote:
> I can fully understand why you do not want to publish details of the
> attack and support it too. But maybe you could publish extracts from the
> logs which might indicate the attack? That way, administrators (like me)
> might have a chance to check if their systems are attacked already.

You can check out the spool directory for strange files like e.conf or
setuid.

Also, when that e.conf was run, I got a message in my log file that the
queue had been run when I normally have that turned off. That's only if
the attacker runs it with -q though.

eg
2010-12-09 12:03:46 Start queue run: pid=4010
2010-12-09 12:03:46 End queue run: pid=4010

This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-Re: [exim-dev] Remote root vulnerability in EximRe: [exim-dev] Remote root vulnerability in Exim->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)