My next class:

Reports of Attacks against EXIM vulnerability

Published: 2010-12-17. Last Updated: 2010-12-17 17:40:25 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

Users of the popular exim mail server report attacks exploiting the recently patches vulnerability [1,2].  It appears that the attacks are scripted and installing popular rootkits. If you experienced an attack against exim: We are interested in packet captures or other logs showing how the attack is performed.

[1] http://www.reddit.com/r/netsec/comments/en650/details_of_the_root_kit_that_got_installed_on_my/
[2] http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: exim
4 comment(s)
My next class:

Comments

These 2 references seem to be people's unpatched systems getting owned - ie prior to 4.69-9+lenny1. [2]'s attack happened before the patch was available, so this was definitely in the wild. Before the security update was released.

I think that unless you've already been compromised, you shouldn't have a problem if you're running the latest.
Related:

cPanel vuln - updates...
- http://secunia.com/advisories/42625
Release Date: 2010-12-15
Criticality level: Extremely critical
- http://www.cpanel.net/2010/12/critical-exim-security-update.html
.
I left a comment on the Reddit article, but also make sure to check for running sshd's. I had one that started on port 59997. It was the system sshd, not the dropbear that the rootkit installed.

Oddly enough, the sshd tried to start more than once (hours apart), and wasn't installed by the rootkit's installation script. That leads me to believe it was started by ssh'ing in after the rootkit was installed. I had six machines get compromised at the same time, and all of them had the sshd running on port 59997.
This exploit seems likely to weed out all those servers still running Debian etch (oldstable) long after security support ended. Unfortunately I'm guilty of this too...

Debian's 'popcon' stats suggest some 66% of all participants are running Exim (it's the default MTA, automatically installed on desktops and servers), and I interpret from the 'popularity-contest' package version stats that at least 12% of Debian installations are not being updated.

Maybe the greatest threat will be to those 'internal' servers that some people feel they don't have to patch (or make any other effort to secure). One day malware will likely breach defences at the network perimeter and exploit such an internal service to steal data and wreak havoc.

Diary Archives