Author: phil Date: To: Adam Spiers, Andy Smith CC: Bitfolk users list Subject: Re: [bitfolk] Scans attempting to exploit CVE-2019-10149 have been
in the wild for some days
It's my VPS that seems to have been compromised. That's ruined my day - time to rebuild onto a new VPS!
June 23, 2019 10:47 AM, "Adam Spiers" <bitfolk@???> wrote: > Phew... I think?! The depressing thing is that there's no way to know for sure whether I patched in
> time, even with things like rkhunter already in place. Thanks again to Andy, without whose warning
> I would definitely not have known to patch my exim quickly enough! I patched 15 days ago (7th
> June), and I see 15 remote exploit attempts in the rejectlogs from the last 7 days alone -
> unfortunately my logrotate already ditched logs from the previous week.
I actually patched at about 10:40 on the 6th (according to the email I got from apt-listchanges), so it must have been a very early compromise.
Whatever rootkit was installed generated no alerts on my tripwire configuration, but an lkm rootkit is intermittently showing up via chkrootkit. I'll be putting in a cron job on the new box to run that daily in the future, and will also look into rkhunter as well. It seems that you really can't be too careful - and I wasn't careful enough!
Another lesson I may take away from this is to keep my logs for longer - like others, mine only go back to the 14th. I might set up logrotate to email them to me in addition to rotate+compress, so I have longer offline storage. At the moment, I just have nothing to help me determine when the VPS was compromised. :-(
Anyway, I have a busy afternoon ahead of me!
Check your boxes, folks. And thanks to Andy for doing this check and letting me know!
