Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
On Friday 17 of December 2010, Thorsten Göllner wrote:
> Hi,
>
> I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
> mails. I always get the message, that the mail is not routeable. I only
> used "dpkg-reconfigure exim4-config" without touching one config file by
> hand. I detected a log message (panic log) which says, that there was a
> "too large message". Since that point exim4 stopped working.
The last exploit of exim4 is based on too large messages causing buffer
owerflows that can lead to root privileges. (Sorry for simplification, full
details are on exim mailing list).
> The other point is that pstree reports a process "zinit" I never saw in
> the past:
>
> <snip>
>
> But I do not have any idea what it is. And I can not see the process
> with "ps":
>
If pstree shows zinit and ps does not, it might mean that you are already
rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide
the presence of rootkit named zinit.
> Do I have a security issue here? Any other idea?
IMHO yes, you have a security issue.
--
Regards
Vladislav Kurz
Reply to: