On 13/12/2010 11:14, Alain Williams wrote: >> Regarding the recent remote exploit for Exim. I had an idea and I wasn't >> sure if it was crazy. The idea was to scan port 25 across the entire >> Internet looking for Exim installations of version <= v4.69 by >> inspecting the welcome banner, then later alerting the maintainers of >> these systems about the problem and telling them to upgrade. > > The version number is not the whole story, unfortunately. > For instance, one of my customers' machines is running Centos 4, > this was updated with a patched exim last night. When you connect > on port 25 you get: > > 220 survey.XXXXX.com ESMTP Exim 4.43 Mon, 13 Dec 2010 11:06:04 +0000 > > The clue that it is patched is the build date.
Yeah, I noticed this. I can't remotely view the build date though unfortunately. That's why I said that they either are, or at least were, exploitable a couple of days ago. Anyone running 4.69 or below was exploitable a few days ago, and many of them still are. The most interesting figure is that only 6% of installations appear to be version 4.70 and above. -- Mike Cardwell https://secure.grepular.com/ https://twitter.com/mickeyc Professional http://cardwellit.com/ http://linkedin.com/in/mikecardwell PGP.mit.edu 0018461F/35BC AF1D 3AA2 1F84 3DC3 B0CF 70A5 F512 0018 461F -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
