16 Dec
2010
16 Dec
'10
10:16 a.m.
Hi all,
Maybe stating the obvious but despite many years of Linux experience I
got bitten :-(
I upgraded exim to the patched version immediately after reading
Dominic's warning a few days ago, but I think I forgot to restart it
in order for the patch to take effect, and this morning I woke up to
an email warning me that exim's paniclog contained:
2010-12-16 02:30:31 string too large in smtp_notquit_exit()
2010-12-16 04:37:17 string too large in smtp_notquit_exit()
2010-12-16 07:39:30 string too large in smtp_notquit_exit()
which sounds very much like the exploit. ARGH.
I installed chkrootkit, rkhunter, and unhide. rkhunter found nothing
of apparent substance, but chkrootkit said:
Checking `lkm'... You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
and 'unhide proc' output:
Unhide 20080519
yjesus(a)security-projects.com
[*]Searching for Hidden processes through /proc scanning
Found HIDDEN PID: 28213
Command: -bash
This bash process which doesn't go away with a reboot. So I'm
guessing that these days the kids are using trojan kernel modules,
which is no surprise as they are far more effective than the
old-fashioned ones.
This is my first experience with exim and I have to say I'm pretty
disgusted with it. This would never have happened with postfix which
would have been my first choice has proper privilege separation - I
can't believe in this day and age we're still using MTAs which run
monolithically as root.
I was hoping to compare the contents of /boot with the backups, but I
see these are not backed up. I installed debsums and it revealed the
following, although I'm not yet sure if this indicates a LKM rootkit or
not:
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.dep
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.pcimap
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.seriomap
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.symbols
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.usbmap
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.ieee1394map
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.alias
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.isapnpmap
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.inputmap
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.ieee1394map
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.alias
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.usbmap
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.seriomap
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.pcimap
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.isapnpmap
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.dep
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.symbols
[snip]
debsums: checksum mismatch procps file /bin/ps
debsums: checksum mismatch procps file /bin/kill
debsums: checksum mismatch procps file /usr/bin/top
debsums: checksum mismatch procps file /usr/bin/tload
debsums: checksum mismatch procps file /usr/bin/pmap
debsums: checksum mismatch procps file /usr/bin/pwdx
debsums: checksum mismatch procps file /usr/bin/watch
debsums: checksum mismatch procps file /usr/bin/vmstat
debsums: checksum mismatch procps file /usr/bin/skill
debsums: checksum mismatch procps file /usr/bin/uptime
debsums: checksum mismatch procps file /usr/bin/pgrep
debsums: checksum mismatch procps file /usr/bin/free
debsums: checksum mismatch procps file /usr/bin/slabtop
debsums: checksum mismatch procps file /sbin/sysctl
For now I have shut down networking and am only using the Xen console.
Adam
On 13 December 2010 17:37, Andy Smith <andy(a)bitfolk.com> wrote:
Hi Adam,
$ zcat /usr/share/doc/exim4/changelog.Debian.gz | head -7
exim4 (4.69-9+lenny1) stable-security; urgency=high
* Non-maintainer upload by the Security Team.
* Fix SMTP file descriptors being leaked to processes invoked with ${run...}
* Fix memory corruption issue in string_format(). CVE-2010-4344
* Fix potential memory pool corruption issue in internal_lsearch_find().
Cheers,
Andy
On Mon, Dec 13, 2010 at 05:33:21PM +0000, Adam Spiers wrote:
After I upgraded, I looked for details under
/usr/share/doc/exim4/
but it looked like none of the various changelog files had been updated
to explain the exact changes in 4.69-9+lenny1 - or am I missing
something?
Maybe apt-listchanges would have been more helpful, but I had
already upgraded before I thought of installing it.
--
http://bitfolk.com/ -- No-nonsense VPS hosting
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEAREDAAYFAk0GWcEACgkQIJm2TL8VSQtvRgCgrdHw2gQz5b+0Ey8H2rk3/TaU
QyAAn3x2Zg/X9A5vedVhZ1jLawfypBkq
=PaSt
-----END PGP SIGNATURE-----
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users