Re: [exim] just been hacked, could be CVE-2019-10149?

Thanks Marius,

Yes indeed, no argument at all. I've been involved in UNIX security for
30 years (and so should have known better anyway).

Luckily, in this case, the script-kiddies efforts seem naive, and they
weren't even able to succeed in opening up SSH access, despite having
root and attempting it.

They made some effort to change mtimes of files changed, but forgot, or
weren't able, to also change inode ctimes, so those were, at least,
easily found.

It's not likely all that was a charade, hiding some more sophisticated
hacking but, as you say, it's impossible to be sure.

good points!

cheers,
calum.

On 19/06/2019 6:50 pm, Cyborg via Exim-users wrote:
> Am 11.06.19 um 19:34 schrieb Calum Mackay via Exim-users:
>> I'm still catching up, but…
>>
>> On 11/06/2019 7:43 am, Marius Schwarz via Exim-users wrote:
>>> Why didn't you harden your exim with the "allowed chars" change we
>>> posted here on the list, or did you?
>>
>> Is that still necessary/advised, now I'm running 4.92?
>
>
> rm -rf /
> reboot from usb drive
> reinstall modern ShortCycle OSes like Fedora
>
> Why?
>
> Because your server got hacked with root access and you have no idea
> what the attacker did, what you did not find.
> Attackers can change your logfiles to remove or correct theire
> activities as they like, install Hypervisor Rootkits etc. etc.
>
> Trust a it forensics guys, you can only be sure if you cold start the
> server and boot from a trustworthy medium
> to forensic a system.
>
>
> best regards,
> Marius
>
>
>
>