On 13/12/2010 11:14, Alain Williams wrote:
>> Regarding the recent remote exploit for Exim. I had an idea and I wasn't
>> sure if it was crazy. The idea was to scan port 25 across the entire
>> Internet looking for Exim installations of version <= v4.69 by
>> inspecting the welcome banner, then later alerting the maintainers of
>> these systems about the problem and telling them to upgrade.
>
> The version number is not the whole story, unfortunately.
> For instance, one of my customers' machines is running Centos 4,
> this was updated with a patched exim last night. When you connect
> on port 25 you get:
>
> 220 survey.XXXXX.com ESMTP Exim 4.43 Mon, 13 Dec 2010 11:06:04 +0000
>
> The clue that it is patched is the build date.
Yeah, I noticed this. I can't remotely view the build date though
unfortunately. That's why I said that they either are, or at least were,
exploitable a couple of days ago. Anyone running 4.69 or below was
exploitable a few days ago, and many of them still are.
The most interesting figure is that only 6% of installations appear to
be version 4.70 and above.
--
Mike Cardwell
https://secure.grepular.com/ https://twitter.com/mickeyc
Professional
http://cardwellit.com/ http://linkedin.com/in/mikecardwell
PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F
