[Pkg-exim4-users] Urgent: Can't install security update after recent exploit
Sebastian Tennant
sebyte at smolny.plus.com
Fri Dec 17 18:26:20 UTC 2010
Hi list,
I've been bitten by the recent exploit (Bug 1044 / CVE-2010-4345).
Here are the steps I've taken so far to try and rectify the situation:
1. Shutdown exim4.
2. Removed the two attacker files /var/spool/exim4/s & /var/spool/exim4/s.c
(both zero length at the time I discovered them and I had to 'chattr -ai'
them before they would og away).
3. Removed the two attacker files /etc/exim4/exim.conf &
/etc/exim4/exim4.conf.
4. Ran update-exim4.conf and performed a visual check on
/var/lib/exim4/config.autogenerated.
5. Attempted to install the security update:
apt-get install exim4 exim4-base exim4-config exim4-daemon-light
but the post-installation script for package exim4-config failed with exit
status 20.
It's probably also worth noting that my existing exim4 executable binary
(/usr/sbin/exim4) has most definitely been compromised:
-rwsr-xr-x 1 root root 695968 Dec 10 14:01 exim4
(Note suid and modification date)
So, what next?
Left to my own devices, I'll probably backup /etc/exim4/, apt-get purge all
exim packages, re-install them from scratch (hopefully the post-installation
script for package exim4-config won't fail this time), restore my /etc/exim4/
directory, re-run update-exim4.conf and restart exim.
Any advice much appreciated.
Sebastian
--
Emacs' AlsaPlayer - Music Without Jolts
Lightweight, full-featured and mindful of your idyllic happiness.
http://home.gna.org/eap
More information about the Pkg-exim4-users
mailing list