[Pkg-exim4-users] CVE-2010-4344 and Exim 4.69-9+lenny1
ametzler at downhill.at.eu.org
Tue Dec 14 18:48:15 UTC 2010
On 2010-12-14 Olivier Bonvalet <debian-exim.list at daevel.fr> wrote:
> one of my debians was just "hacked", thought this Exim
> vulnerabilities, but Exim4 was already upgraded to the
> "4.69-9+lenny1_amd64" version.
> We upgraded it on 12/11/2010 :
> And the attacker exploit the vulnerability on 12/14/2010 :
> # stat /mnt/var/spool/exim4/s
> File: `/mnt/var/spool/exim4/s'
> Size: 9223 Blocks: 24 IO Block: 4096 fichier régulier
> Device: fd02h/64770d Inode: 65906 Links: 1
> Access: (4755/-rwsr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
> Access: 2010-12-14 09:31:13.000000000 +0100
> Modify: 2010-12-14 02:07:20.000000000 +0100
> Change: 2010-12-14 02:07:20.000000000 +0100
> 2010-12-14 02:07:31 1PSJMZ-0007cg-Je <= root at pasbet.mrbinr.com
> U=root P=local S=4324
> 2010-12-14 02:07:31 1PSJMZ-0007cg-Je no immediate delivery: load
> average 1.01
> 2010-12-14 02:08:09 Start queue run: pid=32248
> 2010-12-14 02:08:10 1PSJNC-0008Ow-0V <= root at pasbet.mrbinr.com
> H=localhost (pasbet.mrbinr.com) [127.0.0.1] P=esmtp S=5158
> id=E1PSJMZ-0007cg-Je at pasbet.mrbinr.com
> 2010-12-14 02:08:10 1PSJNC-0008Ow-0V no immediate delivery: load
> average 1.45
> 2010-12-14 02:08:10 1PSJMZ-0007cg-Je => haubau123 at yahoo.com
> R=dkimproxy T=dkimproxy_smtp H=localhost [127.0.0.1]
> 2010-12-14 02:08:10 1PSJMZ-0007cg-Je Completed
> 2010-12-14 02:08:10 End queue run: pid=32248
> Or maybe it's a different problem ?
> Do you need more informations, logs, files ?
I (would like to) think that the actual break-in happened before you
upgraded the system and the attacker installed a backdoor.
The exim logfile snippet above shows that the local user root invoked
exim to send a mail.
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'
More information about the Pkg-exim4-users