On 2010-12-09 02:18, Ted Cooper wrote: > On 08/12/10 18:58, Patrick Cernko wrote: > > I can fully understand why you do not want to publish details of the > > attack and support it too. But maybe you could publish extracts from the > > logs which might indicate the attack? That way, administrators (like me) > > might have a chance to check if their systems are attacked already. > > You can check out the spool directory for strange files like e.conf or > setuid. > > Also, when that e.conf was run, I got a message in my log file that the > queue had been run when I normally have that turned off. That's only if > the attacker runs it with -q though. > > eg > 2010-12-09 12:03:46 Start queue run: pid=4010 > 2010-12-09 12:03:46 End queue run: pid=4010 > > I think that my server was also a victim of this vulnerability. I had a hidden .x...something file in the spool directory and a strange apache-server running that had opened an ircd-port (with lsof -i) . I deleted these files in the spool directory. The apache server ran as /usr/local/apache/bin/httpd -DSSL with the UID of the exim4. It was in fact some perl script and in fact /usr/local/apache doesn't exist. When I killed the process it always restarted at once. When I did chmod o-x /usr/bin/perl and killed the faked httpd the process did not start again. I noticed (in the mainlog of exim4) , that there still was a try to communicate with a server with a romanian name but the communication did not work anymore. Then, as my server mainly runs as a web server, I reconfigured exim4 (dpkg-reconfigure exim4-config) not to listen to incoming email anymore. Afterwards I did chmod o+w /usr/bin/perl again. Now it seems as if everything is calm. As I am not a developer of exim4 I am waiting for a new exim4 to come after the bug has been resolved.
-- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
