Re: [exim] Exim (aoom) named in context of new TLS cross-pro…

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Cyborg
Fecha:  
A: exim-users
Asunto: Re: [exim] Exim (aoom) named in context of new TLS cross-protocol attack
Am 09.06.21 um 22:03 schrieb Heiko Schlittermann via Exim-users:
>
> |smtp_max_synprot_errors|Use: main|Type: integer|Default: 3|
>


A small follow-up on my change of this config on a -> very low traffic
<- mail-server in less than 18h after activation:

2021-06-10 17:09:54 SMTP call from [134.122.7.20] dropped: too many
syntax or protocol errors (last command was "HEAD / HTTP/1.0", NULL)
2021-06-10 17:09:55 SMTP call from [134.122.7.20] dropped: too many
syntax or protocol errors (last command was "GET /system_api.php
HTTP/1.1", NULL)
2021-06-10 17:09:56 SMTP call from [134.122.7.20] dropped: too many
syntax or protocol errors (last command was "GET /c/version.js
HTTP/1.1", NULL)
2021-06-10 17:09:58 SMTP call from [134.122.7.20] dropped: too many
syntax or protocol errors (last command was "GET
/streaming/clients_live.php HTTP/1.1", NULL)
2021-06-10 17:09:59 SMTP call from [134.122.7.20] dropped: too many
syntax or protocol errors (last command was "GET
/stalker_portal/c/version.js HTTP/1.1", NULL)
2021-06-10 17:10:01 SMTP call from [134.122.7.20] dropped: too many
syntax or protocol errors (last command was "GET /stream/live.php
HTTP/1.1", NULL)
2021-06-10 17:17:30 SMTP call from [138.197.154.233] dropped: too many
syntax or protocol errors (last command was "HEAD / HTTP/1.0", NULL)
2021-06-10 17:17:31 SMTP call from [138.197.154.233] dropped: too many
syntax or protocol errors (last command was "GET /system_api.php
HTTP/1.1", NULL)
2021-06-10 17:17:32 SMTP call from [138.197.154.233] dropped: too many
syntax or protocol errors (last command was "GET /system_api.php
HTTP/1.1", NULL)
2021-06-10 17:17:34 SMTP call from [138.197.154.233] dropped: too many
syntax or protocol errors (last command was "GET /c/version.js
HTTP/1.1", NULL)
2021-06-10 17:17:35 SMTP call from [138.197.154.233] dropped: too many
syntax or protocol errors (last command was "GET
/streaming/clients_live.php HTTP/1.1", NULL)
2021-06-10 17:17:37 SMTP call from [138.197.154.233] dropped: too many
syntax or protocol errors (last command was "GET
/stalker_portal/c/version.js HTTP/1.1", NULL)
2021-06-10 17:17:39 SMTP call from [138.197.154.233] dropped: too many
syntax or protocol errors (last command was "GET /client_area/
HTTP/1.1", NULL)
2021-06-10 17:17:40 SMTP call from [138.197.154.233] dropped: too many
syntax or protocol errors (last command was "GET /stalker_portal/c/
HTTP/1.1", NULL)
2021-06-10 17:17:42 SMTP call from [138.197.154.233] dropped: too many
syntax or protocol errors (last command was "GET /stream/live.php
HTTP/1.1", NULL)
2021-06-10 19:08:50 SMTP call from [46.101.86.104] dropped: too many
syntax or protocol errors (last command was "HEAD / HTTP/1.0", NULL)
2021-06-10 19:08:51 SMTP call from [46.101.86.104] dropped: too many
syntax or protocol errors (last command was "GET /system_api.php
HTTP/1.1", NULL)
2021-06-10 19:08:51 SMTP call from [46.101.86.104] dropped: too many
syntax or protocol errors (last command was "GET /system_api.php
HTTP/1.1", NULL)
2021-06-10 19:08:51 SMTP call from [46.101.86.104] dropped: too many
syntax or protocol errors (last command was "GET /c/version.js
HTTP/1.1", NULL)
2021-06-10 19:08:52 SMTP call from [46.101.86.104] dropped: too many
syntax or protocol errors (last command was "GET
/streaming/clients_live.php HTTP/1.1", NULL)
2021-06-10 19:08:52 SMTP call from [46.101.86.104] dropped: too many
syntax or protocol errors (last command was "GET
/stalker_portal/c/version.js HTTP/1.1", NULL)
2021-06-10 19:08:53 SMTP call from [46.101.86.104] dropped: too many
syntax or protocol errors (last command was "GET /client_area/
HTTP/1.1", NULL)
2021-06-10 19:08:53 SMTP call from [46.101.86.104] dropped: too many
syntax or protocol errors (last command was "GET /stalker_portal/c/
HTTP/1.1", NULL)
2021-06-10 19:08:53 SMTP call from [46.101.86.104] dropped: too many
syntax or protocol errors (last command was "GET /stream/live.php
HTTP/1.1", NULL)
2021-06-10 19:54:12 SMTP call from [134.122.5.182] dropped: too many
syntax or protocol errors (last command was "HEAD / HTTP/1.0", NULL)
2021-06-10 19:54:13 SMTP call from [134.122.5.182] dropped: too many
syntax or protocol errors (last command was "GET /system_api.php
HTTP/1.1", NULL)
2021-06-10 19:54:14 SMTP call from [134.122.5.182] dropped: too many
syntax or protocol errors (last command was "GET /c/version.js
HTTP/1.1", NULL)
2021-06-10 19:54:15 SMTP call from [134.122.5.182] dropped: too many
syntax or protocol errors (last command was "GET
/streaming/clients_live.php HTTP/1.1", NULL)
2021-06-10 19:54:17 SMTP call from [134.122.5.182] dropped: too many
syntax or protocol errors (last command was "GET
/stalker_portal/c/version.js HTTP/1.1", NULL)
2021-06-10 19:54:18 SMTP call from [134.122.5.182] dropped: too many
syntax or protocol errors (last command was "GET /stream/live.php
HTTP/1.1", NULL)
2021-06-10 20:21:18 SMTP call from [64.225.63.33] dropped: too many
syntax or protocol errors (last command was "HEAD / HTTP/1.0", NULL)
2021-06-10 20:21:19 SMTP call from [64.225.63.33] dropped: too many
syntax or protocol errors (last command was "GET /system_api.php
HTTP/1.1", NULL)
2021-06-10 20:21:20 SMTP call from [64.225.63.33] dropped: too many
syntax or protocol errors (last command was "GET /c/version.js
HTTP/1.1", NULL)
2021-06-10 20:21:21 SMTP call from [64.225.63.33] dropped: too many
syntax or protocol errors (last command was "GET
/streaming/clients_live.php HTTP/1.1", NULL)
2021-06-10 20:21:23 SMTP call from [64.225.63.33] dropped: too many
syntax or protocol errors (last command was "GET
/stalker_portal/c/version.js HTTP/1.1", NULL)
2021-06-10 20:21:24 SMTP call from [64.225.63.33] dropped: too many
syntax or protocol errors (last command was "GET /stream/live.php
HTTP/1.1", NULL)
2021-06-11 02:27:28 SMTP call from [192.241.214.95] dropped: too many
syntax or protocol errors (last command was "GET / HTTP/1.1", NULL)
2021-06-11 02:27:30 SMTP call from [192.241.214.95] dropped: too many
syntax or protocol errors (last command was "GET / HTTP/1.1", NULL)
2021-06-11 02:27:30 SMTP call from [192.241.214.95] dropped: too many
syntax or protocol errors (last command was "GET / HTTP/1.1", NULL)
2021-06-11 02:27:30 SMTP call from [192.241.214.95] dropped: too many
syntax or protocol errors (last command was "GET / HTTP/1.1", NULL)
2021-06-11 04:46:17 SMTP call from 92.118.160.1.netsystemsresearch.com
[92.118.160.1] dropped: too many syntax or protocol errors (last command
was "GET / HTTP/1.1", NULL)
2021-06-11 08:34:31 SMTP call from scanner-21.ch1.censys-scanner.com
[162.142.125.128] dropped: too many syntax or protocol errors (last
command was "GET / HTTP/1.1", NULL)
2021-06-11 08:34:36 SMTP call from scanner-21.ch1.censys-scanner.com
[162.142.125.128] dropped: too many syntax or protocol errors (last
command was "GET / HTTP/1.1", NULL)
2021-06-11 08:34:49 SMTP call from scanner-21.ch1.censys-scanner.com
[162.142.125.128] dropped: too many syntax or protocol errors (last
command was "GET / HTTP/1.1", NULL)
2021-06-11 08:34:50 SMTP call from scanner-21.ch1.censys-scanner.com
[162.142.125.128] dropped: too many syntax or protocol errors (last
command was "GET / HTTP/1.1", NULL)
2021-06-11 08:47:19 SMTP call from [45.113.70.146] dropped: too many
syntax or protocol errors (last command was "GET / HTTP/1.1", NULL)

Those are not Alpaca request, it just the normal everydays madness :D

I really don't wanne check on my normal or big servers

... and here is the EXIM EXPLOIT :
https://github.com/RUB-NDS/alpaca-code/blob/master/exploits/smtp/02-exim.md

(Exim does not suffer from this exploit, the browser which parses the
response is )


best regards,
Marius