[NBLUG/talk] Exim remote root in the wild
Ed Rogers
ed at rogersecommerce.com
Sat Dec 25 13:29:30 PST 2010
It already got one of my servers on the 16th around 3PM a few giyrs
before this email arrived). I patched it on the 16th, late in the
evening, without realizing I had been hit.
The first symptom is mail doesn't arrive. I didn't notice this at
first, because although that particular server has about 15 clients,
none of them use mail. They hate Horde. They love gmail, because it is
bullet proof and keeps their data confidential.
I finally saw it last night, in the course of investigating a number
of frozen messages that turned out to be spam sent to the webmaster.
Here is a really good link that contains some diagnostics and cleanup
procedures:
http://www.reddit.com/r/netsec/comments/en650/details_of_the_root_kit_that_got_installed_on_my/
Quoting "Troy Arnold" <troy at zenux.net>:
> A buddy of mine got nailed recently using Lenny's Exim. I guess this has
> been known for a week or so but this was the first I'd heard of it.
>
> Some details are here:
> http://www.kb.cert.org/vuls/id/682457
>
> and here:
> http://www.debian.org/security/2010/dsa-2131
>
> Patch 'em if you got 'em.
>
> -t
>
>
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the talk
mailing list