Lähettäjä: Ted Cooper Päiväys: Vastaanottaja: exim-dev Aihe: Re: [exim-dev] Remote root vulnerability in Exim
On 08/12/10 18:58, Patrick Cernko wrote: > I can fully understand why you do not want to publish details of the
> attack and support it too. But maybe you could publish extracts from the
> logs which might indicate the attack? That way, administrators (like me)
> might have a chance to check if their systems are attacked already.
You can check out the spool directory for strange files like e.conf or
setuid.
Also, when that e.conf was run, I got a message in my log file that the
queue had been run when I normally have that turned off. That's only if
the attacker runs it with -q though.