Re: [exim-dev] Remote root vulnerability in Exim

Page principale
Ce message fait partie du fil suivant :
M---+-+--+\Arborescence complète du fil triée par date
M+\.M\M..MMPatrick Cernko à <-
MMM\MMMM.MMTed Cooper à ->
Supprimer ce message
Répondre à ce message
Auteur: Ted Cooper
Date:  
À: exim-dev
Sujet: Re: [exim-dev] Remote root vulnerability in Exim
On 08/12/10 18:58, Patrick Cernko wrote:
> I can fully understand why you do not want to publish details of the
> attack and support it too. But maybe you could publish extracts from the
> logs which might indicate the attack? That way, administrators (like me)
> might have a chance to check if their systems are attacked already.

You can check out the spool directory for strange files like e.conf or
setuid.

Also, when that e.conf was run, I got a message in my log file that the
queue had been run when I normally have that turned off. That's only if
the attacker runs it with -q though.

eg
2010-12-09 12:03:46 Start queue run: pid=4010
2010-12-09 12:03:46 End queue run: pid=4010

Ce message a été envoyé sur les listes de diffusion suivantes :
Exim-dev
Informations sur la liste de diffusion | Messages voisins		<-Re: [exim-dev] Remote root vulnerability in EximRe: [exim-dev] Remote root vulnerability in Exim->
Tahini and Hummus and Cumin Development Archives administré par cumin AdminsLurker (version 2.3)