[exim] Exim installations data

Góra strony
Delete this message
Reply to this message
Autor: Mike Cardwell
Data:  
Dla: exim-users
Temat: [exim] Exim installations data
Regarding the recent remote exploit for Exim. I had an idea and I wasn't
sure if it was crazy. The idea was to scan port 25 across the entire
Internet looking for Exim installations of version <= v4.69 by
inspecting the welcome banner, then later alerting the maintainers of
these systems about the problem and telling them to upgrade.

People don't like having their networks scanned though so rather than
going through each IP in a normal linear ascending order. Eg:

1.2.3.253
1.2.3.254
1.2.4.1

I reversed the octets and did it in an order like this:

253.3.2.1
254.3.2.1
1.4.2.1

So if you have a /24, it wont be scanned in a few seconds, it will be
scanned over weeks instead.

In a 24 hour period, I managed to cover all of:

x.x.x.1
x.x.x.2
x.x.x.3
x.x.x.4

And most of x.x.x.5, from a single VPS at linode.com. Linode received a
couple of abuse reports from AT&T and Bytemark though, so asked me to
stop the scan, and I did. A couple of abuse reports from 1/50th of the
Internet isn't exactly a lot but apparently Linode don't like receiving
them.

In that space, I found 186,538 IPs with an MTA listening. 24,870 had "
Exim \d\.\d+ " in their welcome banner. (ie, about 13%). For the Exim 4
installations, we have the following:

18,761 v4.69
3,665 v4.68 and below (
1,400 v4.70 and above

So the vast majority of installations (94%) are vulnerable to the remote
exploit. Or at least they were a couple of days ago. Interestingly,
there were also 437 IPs with v3.x on them, and even 1 in Japan claiming
to be running v2.05.

Anyway, I'm probably not going to do anything with the data that I
collected because it's far from complete. I thought I'd just mention it
here because some of the figures are interesting and I believe the pool
of IPs I scanned was large and varied enough to make the data trustable.

I'd be interested in working on a project to gather this data on a
monthly basis and produce similar results to that produced by the
Netcraft Web Server survey. I don't have the hardware/connectivity to do
it though.

--
Mike Cardwell https://secure.grepular.com/ https://twitter.com/mickeyc
Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F