From: Adam Spiers <bitfolk@adamspiers.org>
To: Andy Smith <andy@bitfolk.com>
Cc: users@lists.bitfolk.com
Sent: Thu, December 16, 2010 10:16:10 AM
Subject: Re: [bitfolk] Exim remote root exploit
Hi all,
Maybe stating the obvious but despite many years of Linux experience I
got bitten :-(
I upgraded exim to the patched version immediately after reading
Dominic's warning a few days ago, but I think I forgot to restart it
in order for the patch to take effect, and this morning I woke up to
an email warning me that exim's paniclog contained:
2010-12-16 02:30:31 string too large in smtp_notquit_exit()
2010-12-16 04:37:17 string too large in
smtp_notquit_exit()
2010-12-16 07:39:30 string too large in smtp_notquit_exit()
which sounds very much like the exploit. ARGH.
I installed chkrootkit, rkhunter, and unhide. rkhunter found nothing
of apparent substance, but chkrootkit said:
Checking `lkm'... You have 1 process hidden for ps command
chkproc: Warning: Possible LKM Trojan installed
and 'unhide proc' output:
Unhide 20080519
yjesus@security-projects.com [*]Searching for Hidden processes through /proc scanning
Found HIDDEN PID: 28213
Command: -bash
This bash process which doesn't go away with a reboot. So I'm
guessing that these days the kids are using trojan kernel modules,
which is no
surprise as they are far more effective than the
old-fashioned ones.
This is my first experience with exim and I have to say I'm pretty
disgusted with it. This would never have happened with postfix which
would have been my first choice has proper privilege separation - I
can't believe in this day and age we're still using MTAs which run
monolithically as root.
I was hoping to compare the contents of /boot with the backups, but I
see these are not backed up. I installed debsums and it revealed the
following, although I'm not yet sure if this indicates a LKM rootkit or
not:
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.dep
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.pcimap
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686
file
/lib/modules/2.6.26-1-xen-686/modules.seriomap
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.symbols
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.usbmap
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.ieee1394map
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.alias
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.isapnpmap
debsums: checksum mismatch linux-modules-2.6.26-1-xen-686 file
/lib/modules/2.6.26-1-xen-686/modules.inputmap
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.ieee1394map
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686
file
/lib/modules/2.6.26-2-xen-686/modules.alias
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.usbmap
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.seriomap
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.pcimap
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.isapnpmap
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.dep
debsums: checksum mismatch linux-modules-2.6.26-2-xen-686 file
/lib/modules/2.6.26-2-xen-686/modules.symbols
[snip]
debsums: checksum mismatch procps file /bin/ps
debsums: checksum mismatch procps file /bin/kill
debsums: checksum mismatch procps file /usr/bin/top
debsums: checksum mismatch procps file
/usr/bin/tload
debsums: checksum mismatch procps file /usr/bin/pmap
debsums: checksum mismatch procps file /usr/bin/pwdx
debsums: checksum mismatch procps file /usr/bin/watch
debsums: checksum mismatch procps file /usr/bin/vmstat
debsums: checksum mismatch procps file /usr/bin/skill
debsums: checksum mismatch procps file /usr/bin/uptime
debsums: checksum mismatch procps file /usr/bin/pgrep
debsums: checksum mismatch procps file /usr/bin/free
debsums: checksum mismatch procps file /usr/bin/slabtop
debsums: checksum mismatch procps file /sbin/sysctl
For now I have shut down networking and am only using the Xen console.
Adam
On 13 December 2010 17:37, Andy Smith <
andy@bitfolk.com> wrote:
> Hi Adam,
>
> $ zcat /usr/share/doc/exim4/changelog.Debian.gz | head -7
> exim4 (4.69-9+lenny1) stable-security;
urgency=high
>
> * Non-maintainer upload by the Security Team.
> * Fix SMTP file descriptors being leaked to processes invoked with ${run...}
> * Fix memory corruption issue in string_format(). CVE-2010-4344
> * Fix potential memory pool corruption issue in internal_lsearch_find().
>
> Cheers,
> Andy
>
> On Mon, Dec 13, 2010 at 05:33:21PM +0000, Adam Spiers wrote:
>> After I upgraded, I looked for details under /usr/share/doc/exim4/
>> but it looked like none of the various changelog files had been updated
>> to explain the exact changes in 4.69-9+lenny1 - or am I missing
>> something?
>>
>> Maybe apt-listchanges would have been more helpful, but I had
>> already upgraded before I thought of installing it.
>
> --
>
http://bitfolk.com/ --
No-nonsense VPS hosting
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEAREDAAYFAk0GWcEACgkQIJm2TL8VSQtvRgCgrdHw2gQz5b+0Ey8H2rk3/TaU
> QyAAn3x2Zg/X9A5vedVhZ1jLawfypBkq
> =PaSt
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> users mailing list
>
users@lists.bitfolk.com>
https://lists.bitfolk.com/mailman/listinfo/users>
>
_______________________________________________
users mailing list
users@lists.bitfolk.comhttps://lists.bitfolk.com/mailman/listinfo/users