Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Reports of Attacks against EXIM vulnerability - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Reports of Attacks against EXIM vulnerability

Users of the popular exim mail server report attacks exploiting the recently patches vulnerability [1,2].  It appears that the attacks are scripted and installing popular rootkits. If you experienced an attack against exim: We are interested in packet captures or other logs showing how the attack is performed.

[1] http://www.reddit.com/r/netsec/comments/en650/details_of_the_root_kit_that_got_installed_on_my/
[2] http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Intrusion Detection In-Depth - SANS Boston Summer 2019

Johannes

3575 Posts
ISC Handler
These 2 references seem to be people's unpatched systems getting owned - ie prior to 4.69-9+lenny1. [2]'s attack happened before the patch was available, so this was definitely in the wild. Before the security update was released.

I think that unless you've already been compromised, you shouldn't have a problem if you're running the latest.
Chris

12 Posts
Related:

cPanel vuln - updates...
- http://secunia.com/advisories/42625
Release Date: 2010-12-15
Criticality level: Extremely critical
- http://www.cpanel.net/2010/12/critical-exim-security-update.html
.
Jack

160 Posts
I left a comment on the Reddit article, but also make sure to check for running sshd's. I had one that started on port 59997. It was the system sshd, not the dropbear that the rootkit installed.

Oddly enough, the sshd tried to start more than once (hours apart), and wasn't installed by the rootkit's installation script. That leads me to believe it was started by ssh'ing in after the rootkit was installed. I had six machines get compromised at the same time, and all of them had the sshd running on port 59997.
Jack
1 Posts
This exploit seems likely to weed out all those servers still running Debian etch (oldstable) long after security support ended. Unfortunately I'm guilty of this too...

Debian's 'popcon' stats suggest some 66% of all participants are running Exim (it's the default MTA, automatically installed on desktops and servers), and I interpret from the 'popularity-contest' package version stats that at least 12% of Debian installations are not being updated.

Maybe the greatest threat will be to those 'internal' servers that some people feel they don't have to patch (or make any other effort to secure). One day malware will likely breach defences at the network perimeter and exploit such an internal service to steal data and wreak havoc.
Steven C.

171 Posts

Sign Up for Free or Log In to start participating in the conversation!