[NBLUG/talk] Exim remote root in the wild

Ed Rogers ed at rogersecommerce.com
Sat Dec 25 13:29:30 PST 2010


It already got one of my servers on the 16th around 3PM a few giyrs  
before this email arrived). I patched it on the 16th, late in the  
evening, without realizing I had been hit.

The first symptom is mail doesn't arrive. I didn't notice this at  
first, because although that particular server has about 15 clients,  
none of them use mail. They hate Horde. They love gmail, because it is  
bullet proof and keeps their data confidential.

I finally saw it last night, in the course of investigating a number  
of frozen messages that turned out to be spam sent to the webmaster.

Here is a really good link that contains some diagnostics and cleanup  
procedures:

http://www.reddit.com/r/netsec/comments/en650/details_of_the_root_kit_that_got_installed_on_my/

Quoting "Troy Arnold" <troy at zenux.net>:

> A buddy of mine got nailed recently using Lenny's Exim.  I guess this has
> been known for a week or so but this was the first I'd heard of it.
>
> Some details are here:
> http://www.kb.cert.org/vuls/id/682457
>
> and here:
> http://www.debian.org/security/2010/dsa-2131
>
> Patch 'em if you got 'em.
>
> -t
>
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



More information about the talk mailing list