RE: exim4 router problems since 2 days / sucpicous process "zinit" is pstree

To: <debian-security@lists.debian.org>
Subject: RE: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
From: "Paul Stewart" <paul@paulstewart.org>
Date: Fri, 17 Dec 2010 07:07:20 -0500
Message-id: <[🔎] 002a01cb9de3$00f14520$02d3cf60$@org>
In-reply-to: <[🔎] 201012171235.51130.vladislav.kurz@webstep.net>
References: <[🔎] 4D0B42C5.9040707@ovm-group.com> <[🔎] 201012171235.51130.vladislav.kurz@webstep.net>

I have a question related to this security announcement and hope it's
appropriate to ask here...

I just recently installed a couple of machines with Debian 5 using
netinstall.  They are running Exim which reports as 4.69 in the banner.

I have ran aptitude update/upgrade and not seeing anything new for Exim - am
I safe to assume I'm up to date and not vulnerable to this security issue?
Sorry, just started using Debian - been at least 5 years since I ran it and
wanted to make sure....

Thanks,
Paul

-----Original Message-----
From: Vladislav Kurz [mailto:vladislav.kurz@webstep.net] 
Sent: December-17-10 6:36 AM
To: debian-security@lists.debian.org
Subject: Re: exim4 router problems since 2 days / sucpicous process "zinit"
is pstree

On Friday 17 of December 2010, Thorsten Göllner wrote:
> Hi,
> 
> I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
> mails. I always get the message, that the mail is not routeable. I only
> used "dpkg-reconfigure exim4-config" without touching one config file by
> hand. I detected a log message (panic log) which says, that there was a
> "too large message". Since that point exim4 stopped working.

The last exploit of exim4 is based on too large messages causing buffer 
owerflows that can lead to root privileges. (Sorry for simplification, full 
details are on exim mailing list).

> The other point is that pstree reports a process "zinit" I never saw in
> the past:
> 
> <snip>
>
> But I do not have any idea what it is. And I can not see the process
> with "ps":
> 

If pstree shows zinit and ps does not, it might mean that you are already 
rooted (owned, hacked, cracked, etc), and your ps binary was modified to
hide 
the presence of rootkit named zinit.

> Do I have a security issue here? Any other idea?

IMHO yes, you have a security issue.

-- 
Regards
        Vladislav Kurz

-- 
To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
Archive:
[🔎] 201012171235.51130.vladislav.kurz@webstep.net">http://lists.debian.org/[🔎] 201012171235.51130.vladislav.kurz@webstep.net

Reply to:

Follow-Ups:
- Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>
- RE: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
  - From: Eduardo M KALINOWSKI <eduardo@kalinowski.com.br>

References:
- exim4 router problems since 2 days / sucpicous process "zinit" is pstree
  - From: Thorsten Göllner <tg@ovm-group.com>
- Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
  - From: Vladislav Kurz <vladislav.kurz@webstep.net>

Prev by Date: Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
Next by Date: Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
Previous by thread: Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
Next by thread: Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree
Index(es):
- Date
- Thread