Re: [exim-dev] Remote root vulnerability in Exim

On 2010-12-09 02:18, Ted Cooper wrote:
> On 08/12/10 18:58, Patrick Cernko wrote:
> > I can fully understand why you do not want to publish details of the
> > attack and support it too. But maybe you could publish extracts
from the
> > logs which might indicate the attack? That way, administrators
(like me)
> > might have a chance to check if their systems are attacked already.
>
> You can check out the spool directory for strange files like e.conf or
> setuid.
>
> Also, when that e.conf was run, I got a message in my log file that the
> queue had been run when I normally have that turned off. That's only if
> the attacker runs it with -q though.
>
> eg
> 2010-12-09 12:03:46 Start queue run: pid=4010
> 2010-12-09 12:03:46 End queue run: pid=4010
>
>
I think that my server was also a victim of this vulnerability.
I had a hidden .x...something file in the spool directory and a strange
apache-server running
that had opened an ircd-port (with lsof -i) . I deleted these files in
the spool directory.
The apache server ran as /usr/local/apache/bin/httpd -DSSL
with the UID of the exim4. It was in fact some perl script and in fact
/usr/local/apache doesn't exist.
When I killed the process it always restarted at once. When I did chmod
o-x /usr/bin/perl and killed the faked httpd the process did not start
again. I noticed (in the mainlog of exim4) , that there still was a try
to communicate with a server with a romanian name but the communication
did not work anymore. Then, as my server mainly runs as a web server, I
reconfigured exim4 (dpkg-reconfigure exim4-config) not to listen to
incoming email anymore. Afterwards I did chmod o+w /usr/bin/perl again.
Now it seems as if everything is calm.
As I am not a developer of exim4 I am waiting for a new exim4 to come
after the bug has been resolved.