[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: exim4 router problems since 2 days / sucpicous process "zinit" is pstree



On Friday 17 of December 2010, Thorsten Göllner wrote:
> Hi,
> 
> I have installed Debian 5.0.7. Since 2 days my exim4 does not deliver
> mails. I always get the message, that the mail is not routeable. I only
> used "dpkg-reconfigure exim4-config" without touching one config file by
> hand. I detected a log message (panic log) which says, that there was a
> "too large message". Since that point exim4 stopped working.

The last exploit of exim4 is based on too large messages causing buffer 
owerflows that can lead to root privileges. (Sorry for simplification, full 
details are on exim mailing list).
 
> The other point is that pstree reports a process "zinit" I never saw in
> the past:
> 
> <snip>
>
> But I do not have any idea what it is. And I can not see the process
> with "ps":
> 

If pstree shows zinit and ps does not, it might mean that you are already 
rooted (owned, hacked, cracked, etc), and your ps binary was modified to hide 
the presence of rootkit named zinit.

> Do I have a security issue here? Any other idea?

IMHO yes, you have a security issue.

-- 
Regards
        Vladislav Kurz


Reply to: