Re: [exim] Detecting successful CVE-2019-10149 hack

Top Page

Reply to this message
Author: Calum Mackay
To: exim-users
Subject: Re: [exim] Detecting successful CVE-2019-10149 hack
hi Phillip,

If your Linux system was successfully hacked, you may see changes to:


(or the Centos equivalent, above was from a Debian system)

and also every 5 mins getting frozen messages:

The following address(es) have yet to be delivered:

Too many "Received" headers - suspected mail loop

Although perhaps not every successful hack case looks the same.


On 23/07/2019 1:10 am, Carroll via Exim-users wrote:
> Because I was quite tardy in updating from 4.91 to 4.92, I am faced with
> the the question as to best procedure for determining if anyone
> successfully hacked into my Centos 7 server.
> (I updated in late June, still oblivious to the existence of the CVE. A
> week later I learn about the CVE.  C'est la vie.)
> Googling hasn't yielded much in terms of what a sysop should look for.
> I have exim logs going back many months.  I searched those (case
> insensitive) for the string "x2fbin", and also "${run".  Both searches
> found the exact same two instances of RCPT to a local part containing a
> CVE-2019-10149 payoff string. (quite different from each other, but all
> having essentially the same form) One was dated the week before I
> updated to 4.92.  The other was dated a week after updating.
> In both instances, the found string was part of an error message:
> "SMTP Protocol error in RCPT TO:<root+$run...(payoff string)" ... sender
> not yet given
> In the fist instance the RCPT error was immediately followed by the
> error message:
> SMTP protocol error in "DATA" ... valid RCPT command must precede DATA
> In each instance the RCPT error was immediately followed by an error
> message:
> SMTP protocol error in "DATA" ... valid RCPT command must precede DATA
> followed immediately by another error message:
> SMTP protocol synchronization error (next input sent too soon:
> pipelining was not advertised): rejected "Received: 1" ... next
> input="Received: 2\r\nReceived: 3\r\nReceived: 4\r\nReceived:
> 5\r\nReceived: 6\r\nReceived: 7\r\nReceived: 8\r\nReceived:
> 9\r\nReceived: 10\r\nReceived: 11\r\nReceived: 12\r\nRece"
> My first question is, do these indicate failed attempts, or could they
> have succeeded? On the face, it appears they failed.
> However, my second question would be whether, in a successful attempt,
> the payoff string would even appear in the log or just get swallowed up
> by exim executing the string?  In which case, what do I look for to
> eliminate that possibility?