[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

I have a question related to this security announcement and hope it's
appropriate to ask here...

I just recently installed a couple of machines with Debian 5 using
netinstall.  They are running Exim which reports as 4.69 in the banner.

I have ran aptitude update/upgrade and not seeing anything new for Exim - am
I safe to assume I'm up to date and not vulnerable to this security issue?
Sorry, just started using Debian - been at least 5 years since I ran it and
wanted to make sure....


-----Original Message-----
From: Vladislav Kurz [mailto:vladislav.kurz@webstep.net] 
Sent: December-17-10 6:36 AM
To: debian-security@lists.debian.org
Subject: Re: exim4 router problems since 2 days / sucpicous process "zinit"
is pstree

On Friday 17 of December 2010, Thorsten Göllner wrote:
> Hi,
> I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
> mails. I always get the message, that the mail is not routeable. I only
> used "dpkg-reconfigure exim4-config" without touching one config file by
> hand. I detected a log message (panic log) which says, that there was a
> "too large message". Since that point exim4 stopped working.

The last exploit of exim4 is based on too large messages causing buffer 
owerflows that can lead to root privileges. (Sorry for simplification, full 
details are on exim mailing list).
> The other point is that pstree reports a process "zinit" I never saw in
> the past:
> <snip>
> But I do not have any idea what it is. And I can not see the process
> with "ps":

If pstree shows zinit and ps does not, it might mean that you are already 
rooted (owned, hacked, cracked, etc), and your ps binary was modified to
the presence of rootkit named zinit.

> Do I have a security issue here? Any other idea?

IMHO yes, you have a security issue.

        Vladislav Kurz

To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
[🔎] 201012171235.51130.vladislav.kurz@webstep.net">http://lists.debian.org/[🔎] 201012171235.51130.vladislav.kurz@webstep.net

Reply to: