[Pkg-exim4-users] Urgent: Can't install security update after recent exploit

Sebastian Tennant sebyte at smolny.plus.com
Fri Dec 17 18:26:20 UTC 2010

Hi list,

I've been bitten by the recent exploit (Bug 1044 / CVE-2010-4345).

Here are the steps I've taken so far to try and rectify the situation:

 1. Shutdown exim4.

 2. Removed the two attacker files /var/spool/exim4/s & /var/spool/exim4/s.c
    (both zero length at the time I discovered them and I had to 'chattr -ai'
    them before they would og away).

 3. Removed the two attacker files /etc/exim4/exim.conf &

 4. Ran update-exim4.conf and performed a visual check on

 5. Attempted to install the security update:

     apt-get install exim4 exim4-base exim4-config exim4-daemon-light

    but the post-installation script for package exim4-config failed with exit
    status 20.

It's probably also worth noting that my existing exim4 executable binary
(/usr/sbin/exim4) has most definitely been compromised:

 -rwsr-xr-x 1 root root 695968 Dec 10 14:01 exim4

 (Note suid and modification date)

So, what next?

Left to my own devices, I'll probably backup /etc/exim4/, apt-get purge all
exim packages, re-install them from scratch (hopefully the post-installation
script for package exim4-config won't fail this time), restore my /etc/exim4/
directory, re-run update-exim4.conf and restart exim.

Any advice much appreciated.


Emacs' AlsaPlayer - Music Without Jolts
Lightweight, full-featured and mindful of your idyllic happiness.

More information about the Pkg-exim4-users mailing list