Reports of Attacks against EXIM vulnerability
Users of the popular exim mail server report attacks exploiting the recently patches vulnerability [1,2]. It appears that the attacks are scripted and installing popular rootkits. If you experienced an attack against exim: We are interested in packet captures or other logs showing how the attack is performed.
[1] http://www.reddit.com/r/netsec/comments/en650/details_of_the_root_kit_that_got_installed_on_my/
[2] http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Keywords: exim
4 comment(s)
×
![modal content]()
Diary Archives
Comments
I think that unless you've already been compromised, you shouldn't have a problem if you're running the latest.
dimmer
Dec 17th 2010
1 decade ago
cPanel vuln - updates...
- http://secunia.com/advisories/42625
Release Date: 2010-12-15
Criticality level: Extremely critical
- http://www.cpanel.net/2010/12/critical-exim-security-update.html
.
PC.Tech
Dec 17th 2010
1 decade ago
Oddly enough, the sshd tried to start more than once (hours apart), and wasn't installed by the rootkit's installation script. That leads me to believe it was started by ssh'ing in after the rootkit was installed. I had six machines get compromised at the same time, and all of them had the sshd running on port 59997.
dave
Dec 18th 2010
1 decade ago
Debian's 'popcon' stats suggest some 66% of all participants are running Exim (it's the default MTA, automatically installed on desktops and servers), and I interpret from the 'popularity-contest' package version stats that at least 12% of Debian installations are not being updated.
Maybe the greatest threat will be to those 'internal' servers that some people feel they don't have to patch (or make any other effort to secure). One day malware will likely breach defences at the network perimeter and exploit such an internal service to steal data and wreak havoc.
Steven Chamberlain
Dec 18th 2010
1 decade ago