[Pkg-exim4-users] CVE-2010-4344 and Exim 4.69-9+lenny1

[Andreas Metzler]

On 2010-12-14 Olivier Bonvalet <debian-exim.list at daevel.fr> wrote:
> one of my debians was just "hacked", thought this Exim
> vulnerabilities, but Exim4 was already upgraded to the
> "4.69-9+lenny1_amd64" version.

> We upgraded it on 12/11/2010 :
[...]
> And the attacker exploit the vulnerability on 12/14/2010 :

> # stat /mnt/var/spool/exim4/s
>   File: `/mnt/var/spool/exim4/s'
>   Size: 9223          Blocks: 24         IO Block: 4096   fichier régulier
> Device: fd02h/64770d    Inode: 65906       Links: 1
> Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
> Access: 2010-12-14 09:31:13.000000000 +0100
> Modify: 2010-12-14 02:07:20.000000000 +0100
> Change: 2010-12-14 02:07:20.000000000 +0100
[...]
> 2010-12-14 02:07:31 1PSJMZ-0007cg-Je <= root at pasbet.mrbinr.com
> U=root P=local S=4324
> 2010-12-14 02:07:31 1PSJMZ-0007cg-Je no immediate delivery: load
> average 1.01
> 2010-12-14 02:08:09 Start queue run: pid=32248
> 2010-12-14 02:08:10 1PSJNC-0008Ow-0V <= root at pasbet.mrbinr.com
> H=localhost (pasbet.mrbinr.com) [127.0.0.1] P=esmtp S=5158
> id=E1PSJMZ-0007cg-Je at pasbet.mrbinr.com
> 2010-12-14 02:08:10 1PSJNC-0008Ow-0V no immediate delivery: load
> average 1.45
> 2010-12-14 02:08:10 1PSJMZ-0007cg-Je => haubau123 at yahoo.com
> R=dkimproxy T=dkimproxy_smtp H=localhost [127.0.0.1]
> 2010-12-14 02:08:10 1PSJMZ-0007cg-Je Completed
> 2010-12-14 02:08:10 End queue run: pid=32248


> Or maybe it's a different problem ?
> Do you need more informations, logs, files ?

Hello,

I (would like to) think that the actual break-in happened before you
upgraded the system and the attacker installed a backdoor.

The exim logfile snippet above shows that the local user root invoked
exim to send a mail. 

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'