Re: [exim-dev] Remote root vulnerability in Exim

Top Page

Reply to this message
Author: Ted Cooper
Date:  
To: exim-dev
Subject: Re: [exim-dev] Remote root vulnerability in Exim
On 08/12/10 18:58, Patrick Cernko wrote:
> I can fully understand why you do not want to publish details of the
> attack and support it too. But maybe you could publish extracts from the
> logs which might indicate the attack? That way, administrators (like me)
> might have a chance to check if their systems are attacked already.


You can check out the spool directory for strange files like e.conf or
setuid.

Also, when that e.conf was run, I got a message in my log file that the
queue had been run when I normally have that turned off. That's only if
the attacker runs it with -q though.

eg
2010-12-09 12:03:46 Start queue run: pid=4010
2010-12-09 12:03:46 End queue run: pid=4010