Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Reports of Attacks against EXIM vulnerability

Users of the popular exim mail server report attacks exploiting the recently patches vulnerability [1,2].  It appears that the attacks are scripted and installing popular rootkits. If you experienced an attack against exim: We are interested in packet captures or other logs showing how the attack is performed.


Johannes B. Ullrich, Ph.D.
SANS Technology Institute

I will be teaching next: Intrusion Detection In-Depth - SANS Doha March 2022


4346 Posts
ISC Handler
Dec 17th 2010
These 2 references seem to be people's unpatched systems getting owned - ie prior to 4.69-9+lenny1. [2]'s attack happened before the patch was available, so this was definitely in the wild. Before the security update was released.

I think that unless you've already been compromised, you shouldn't have a problem if you're running the latest.

12 Posts

cPanel vuln - updates...
Release Date: 2010-12-15
Criticality level: Extremely critical

160 Posts
I left a comment on the Reddit article, but also make sure to check for running sshd's. I had one that started on port 59997. It was the system sshd, not the dropbear that the rootkit installed.

Oddly enough, the sshd tried to start more than once (hours apart), and wasn't installed by the rootkit's installation script. That leads me to believe it was started by ssh'ing in after the rootkit was installed. I had six machines get compromised at the same time, and all of them had the sshd running on port 59997.
1 Posts
This exploit seems likely to weed out all those servers still running Debian etch (oldstable) long after security support ended. Unfortunately I'm guilty of this too...

Debian's 'popcon' stats suggest some 66% of all participants are running Exim (it's the default MTA, automatically installed on desktops and servers), and I interpret from the 'popularity-contest' package version stats that at least 12% of Debian installations are not being updated.

Maybe the greatest threat will be to those 'internal' servers that some people feel they don't have to patch (or make any other effort to secure). One day malware will likely breach defences at the network perimeter and exploit such an internal service to steal data and wreak havoc.
Steven C.

171 Posts

Sign Up for Free or Log In to start participating in the conversation!