On Mon, Dec 13, 2010 at 11:22:18AM +0000, Mike Cardwell wrote:
> On 13/12/2010 11:14, Alain Williams wrote:
>
> >> Regarding the recent remote exploit for Exim. I had an idea and I wasn't
> >> sure if it was crazy. The idea was to scan port 25 across the entire
> >> Internet looking for Exim installations of version <= v4.69 by
> >> inspecting the welcome banner, then later alerting the maintainers of
> >> these systems about the problem and telling them to upgrade.
> >
> > The version number is not the whole story, unfortunately.
> > For instance, one of my customers' machines is running Centos 4,
> > this was updated with a patched exim last night. When you connect
> > on port 25 you get:
> >
> > 220 survey.XXXXX.com ESMTP Exim 4.43 Mon, 13 Dec 2010 11:06:04 +0000
> >
> > The clue that it is patched is the build date.
>
> Yeah, I noticed this. I can't remotely view the build date though
> unfortunately. That's why I said that they either are, or at least were,
> exploitable a couple of days ago. Anyone running 4.69 or below was
> exploitable a few days ago, and many of them still are.
>
> The most interesting figure is that only 6% of installations appear to
> be version 4.70 and above.
If they are using distro supplied versions of exim (which will prob be most
people) the headline version # might be quite old. For RedHat/Centos 5 it
is 4.63 -- but patched, eg:
220 mint.phcomp.co.uk ESMTP Exim 4.63 Mon, 13 Dec 2010 11:30:56 +0000
I don't know what the corresponding version numbers are for Debian.
You should be able to view the build date remotely. The 220 line that you
get on connecting to port 25 tells you what it is (see above).
--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256
http://www.phcomp.co.uk/
Parliament Hill Computers Ltd. Registration Information:
http://www.phcomp.co.uk/contact.php
#include <std_disclaimer.h>