Sebastian Tennant
2010-Dec-17 18:26 UTC
[Pkg-exim4-users] Urgent: Can''t install security update after recent exploit
Hi list,
I''ve been bitten by the recent exploit (Bug 1044 / CVE-2010-4345).
Here are the steps I''ve taken so far to try and rectify the situation:
1. Shutdown exim4.
2. Removed the two attacker files /var/spool/exim4/s & /var/spool/exim4/s.c
(both zero length at the time I discovered them and I had to
''chattr -ai''
them before they would og away).
3. Removed the two attacker files /etc/exim4/exim.conf &
/etc/exim4/exim4.conf.
4. Ran update-exim4.conf and performed a visual check on
/var/lib/exim4/config.autogenerated.
5. Attempted to install the security update:
apt-get install exim4 exim4-base exim4-config exim4-daemon-light
but the post-installation script for package exim4-config failed with exit
status 20.
It''s probably also worth noting that my existing exim4 executable
binary
(/usr/sbin/exim4) has most definitely been compromised:
-rwsr-xr-x 1 root root 695968 Dec 10 14:01 exim4
(Note suid and modification date)
So, what next?
Left to my own devices, I''ll probably backup /etc/exim4/, apt-get purge
all
exim packages, re-install them from scratch (hopefully the post-installation
script for package exim4-config won''t fail this time), restore my
/etc/exim4/
directory, re-run update-exim4.conf and restart exim.
Any advice much appreciated.
Sebastian
--
Emacs'' AlsaPlayer - Music Without Jolts
Lightweight, full-featured and mindful of your idyllic happiness.
http://home.gna.org/eap
Andreas Metzler
2010-Dec-17 18:42 UTC
[Pkg-exim4-users] Urgent: Can''t install security update after?recent exploit
Sebastian Tennant <sebyte at smolny.plus.com> wrote:> I''ve been bitten by the recent exploit (Bug 1044 / CVE-2010-4345).> Here are the steps I''ve taken so far to try and rectify the situation:> 1. Shutdown exim4.> 2. Removed the two attacker files /var/spool/exim4/s & /var/spool/exim4/s.c > (both zero length at the time I discovered them and I had to ''chattr -ai'' > them before they would og away).[...] Hello, the next step should be: Pull the network cable, zero the harddisk, re-install from known good media or backup. The safe assumption is to trust nothing on the system, the hacker could have installed a rootkit, some backdoors, etc. cu andreas