hi Phillip,
If your Linux system was successfully hacked, you may see changes to:
/etc/cron.d/root
/etc/crontab
/root/.ssh/authorized_keys
/root/.ssh/known_hosts
(or the Centos equivalent, above was from a Debian system)
and also every 5 mins getting frozen messages:
The following address(es)
Even better! :)
On 26/06/2019 7:43 pm, Ryan McClung wrote:
I managed to fix it myself. All I did was reinstall exim and
reconfigured it. It looks to be working now but I will keep what you
gave me in mind! Thank you!
On Wed, Jun 26, 2019 at 2:32 PM Calum Mackay via Exim-users
mailto:exim
thanks Russell,
On 25/06/2019 3:08 pm, Russell King via Exim-users wrote:
For example, if you spend most of the week on Linux kernel related
lists, it's mandatory to use reply-to-all unless you really want to
reply to just the sender. Reply-to-list is strongly abhored.
One obvious reason for
hi Ryan,
On 26/06/2019 6:51 pm, Ryan McClung via Exim-users wrote:
Exim folder:
drwxr-xr-x. 2 exim exim 153 Jun 26 17:47 .
drwxr-xr-x. 80 root root 8192 Jun 26 17:31 ..
-rw-r--r--. 1 exim exim 145 Jun 12 17:39 allow_senders
-rw-r--r--. 1 exim exim 1716 Jun 12 17:39 bounceFilter
-rw-r--
inline…
On 24/06/2019 7:18 pm, mixed8e--- via Exim-users wrote:
On Fri, 2019-06-21 at 15:53 +0200, Heiko Schlittermann via Exim-users
wrote:
Check your system for unusual activities.
Symptoms on a hacked system I got aware of were quite similar. The
log
reported about too many received headers:
.
Of course, this also required the patched exim to ensure the exploit
doesn't actually work (with the sender address).
comments?
cheers,
calum.
On 23/06/2019 6:51 pm, Calum Mackay via Exim-users wrote:
On 22/06/2019 9:44 am, Andreas Metzler via Exim-users wrote:
CVE-2019-10149 is not
d the patched exim to ensure the exploit
doesn't actually work (with the sender address).
comments?
cheers,
calum.
On 23/06/2019 6:51 pm, Calum Mackay via Exim-users wrote:
On 22/06/2019 9:44 am, Andreas Metzler via Exim-users wrote:
CVE-2019-10149 is not that it is possible to sub
On 22/06/2019 9:44 am, Andreas Metzler via Exim-users wrote:
CVE-2019-10149 is not that it is possible to submit a mail that ends
up frozen in the queue. CVE is a remote command execution
vulnerabilty. The fix for CVE-2019-10149 does not remove the
possibility to generate frozen mails in the queu
7;s impossible to be sure.
good points!
cheers,
calum.
On 19/06/2019 6:50 pm, Cyborg via Exim-users wrote:
Am 11.06.19 um 19:34 schrieb Calum Mackay via Exim-users:
I'm still catching up, but…
On 11/06/2019 7:43 am, Marius Schwarz via Exim-users wrote:
Why didn't you harden your exim
thanks Heiko, yes, good point re unstable.
In this case, the fix /was/ available in unstable, but a few other
issues with updating had led to a delay, on that system, which proved
unfortunate.
thanks,
calum.
On 19/06/2019 12:47 pm, Heiko Schlittermann via Exim-users wrote:
Calum Mackay via
, Jan Ingvoldstad via Exim-users wrote:
On Wed, Jun 19, 2019 at 1:26 PM Calum Mackay via Exim-users <
exim-users@exim.org> wrote:
Luckily, it looks like the trojans did nothing more than repeated
attempts to open up my ssh server to root logins, which I think (and
hope) didn't actuall
hi all,
My mail system has just been hacked; it's running Debian unstable exim
4.91-9
Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
The reasons I suspect exim involvement:
• starting today, every 5 mins getting frozen messages:
The following address(es) have ye
Thanks Jeremy,
On 17/06/2019 6:20 pm, Jeremy Harris via Exim-users wrote:
On 17/06/2019 18:03, Calum Mackay via Exim-users wrote:
however, I've just tried it on a (virtual) display of the system itself,
and it doesn't work there either, so perhaps it's not a remote issue
ng something obvious here?
thanks,
calum.
On 17/06/2019 5:28 pm, Cyborg via Exim-users wrote:
Am 17.06.19 um 18:02 schrieb Calum Mackay via Exim-users:
In fact, I can't even get eximon to work properly, when remotely
displayed via X to my Mac.
e.g. shift-click doesn't seem to give me a
shall I go back to cmdline? :)
thanks,
calum.
On 16/06/2019 4:06 pm, Calum Mackay via Exim-users wrote:
thanks Jeremy,
On 16/06/2019 2:28 pm, Jeremy Harris via Exim-users wrote:
On 16/06/2019 14:10, Calum Mackay via Exim-users wrote:
Or do people not use geximon these days?
What's the dif
s wrote:
Calum Mackay via Exim-users wrote:
[...]
Or do people not use geximon these days?
It seems to be dead upstream, no changes since 2008.
https://github.com/dwatson/geximon/commits/master
cu Andreas
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim
thanks Jeremy,
On 16/06/2019 2:28 pm, Jeremy Harris via Exim-users wrote:
On 16/06/2019 14:10, Calum Mackay via Exim-users wrote:
Or do people not use geximon these days?
What's the difference between it and plain-old eximon?
fair question; not much, I suppose. geximon looks nicer,
hi all,
Does anyone have a fix for geximon leaving tail processes running, using
up 100% cpu, after it exits?
I see a Debian (which I'm using) bug logged 18 months ago:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888734
but no action.
I could obviously run it from a wrapper th
Might this be relevant?
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929907
which also deals with GnuTLS record receive code.
cheers,
calum.
On 10/06/2019 4:51 pm, Arno Thuber via Exim-users wrote:
Hello,
today I suddenly started to see log lines telling me "A TLS fatal alert ha
I'm still catching up, but…
On 11/06/2019 7:43 am, Marius Schwarz via Exim-users wrote:
Why didn't you harden your exim with the "allowed chars" change we posted here
on the list, or did you?
Is that still necessary/advised, now I'm running 4.92?
thanks,
calum.
--
## List details at https:/
thanks all, for the replies.
On 11/06/2019 7:27 am, Odhiambo Washington wrote:
ought I to be reporting this anywhere?
Whom would you like to report to?? :-)
All vulnerable versions of Exim had a patch released several days ago.
Yes, I meant that there are clearly now exploits active, alth
hi all,
My mail system has just been hacked; it's running Debian unstable exim
4.91-9
Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
The reasons I suspect exim involvement:
• starting today, every 5 mins getting frozen messages:
The following address(es) have ye
22 matches
Mail list logo