Debian Configuration :: Root Attacks Due To Security Breach In Exim4?
Jan 21, 2011
My debian server has been attacked due to a security breach in exim4 4.69-9 (probably applies to loads of other versions too). The security breach allows the attacker to get root access by creating a buffer overflow in a header which then can be used to inject code.
[URL]
The securtiy breach is fixed with 4.69-9+lenny1 I want to share my actions with you on what I did to (hopefully) get rid of it. However at the time of writing this, the above website is down due to too much load (DDOS Attack?). How you can check if you've been attacked:
The attack creates a buffer overflow in exim4, which results in paniclog entries.
$ cat /var/log/exim4/paniclog
2010-12-17 07:34:11 string too large in xxxyyy()
2010-12-19 10:42:10 string too large in xxxyyy()
this would be an example of two attacks. One on 2010-12-17 and the other two days later 2010-12-19.with this information you can start find potentially infected files. There may be a better way, but I searched for them with this command:
$ find / -mtime 31 2>/dev/null # files,directories,links created 31 days ago (i.e. 2010-12-17)
My infected files:
/usr/bin/uptime
/usr/bin/pwdx
/usr/bin/slabtop
[code]....
View 4 Replies
ADVERTISEMENT
May 7, 2010
When installing these progs on Lucid it comes with exim4,I noticed this in the terminal output. What has exim4 to do with rkhunter and/or chkrootkit?
View 3 Replies
View Related
Jun 17, 2010
I am working on a Debian 2.6.26-19 Distribution with exim4 as MTA. After a system restart a problem occurred with delivering emails to local addresses. These local addresses use a 1and1 mailserver for email. The MX records for the local domain are set correctly but exim does not use a DNS lookup for these addresses because it identifies them as local addresses. I figured this out by executing the exim4 -d -bt command. The dns lookup part of the result looks like this (I replaced the actual address with placeholders):
[Code]....
The eventual result of the exim4 -d -bt command is: [user]@[domain.ext] is undeliverable: Unrouteable address How can I make sure, that exim4 makes a DNS lookup for the local addresses instead of skipping it? I know that I have to edit a exim4 configuration file, but I could not figure out which and how.
View 1 Replies
View Related
Aug 27, 2010
Linux [URL] 2.6.26-2-686 #1 SMP Wed Feb 10 08:59:21 UTC 2010 i686 GNU/Linux Currently I have exim4 configured to use my mail server as a relay to send php emails. Though I don�t think I want this setup. My goal is to be able to track emails sent out to make sure that nothing happened and they got bounced back. I need to be able to find the emails that are bounced.
If I configure exim4 to send emails from the current (apache2 / php) server any emails that bounce will end up there, correct? We have clients that are expecting emails and are complaining they do not always get them so something is not 100% configured correctly. I am going to re-run #dpkg-reconfigure exim4-config
View 2 Replies
View Related
Jul 9, 2015
I've installed it properly until it works now, it does send emails and receive them, but heres the problem.
1) it does not send emails to a certain domain, unless i do dpkg-reconfigure on exim4 and put the domain on allowed relay... can't i just put something on settings which allow to send emails to ALL domains?
2) EVERYONE can connect to the server by telnet from any position, terminal or pc, and just use an existing user to send emails to anyone.... example, i have testuser123 setted up in debian/exim4 .. then they simply write "mail from:testuser123@host.dot" and the server accepts it.. without even request an authentication for that. And this is a problem, because everyone can use my email addresses to send emails to whoever.. heaven for spammers/hackers..
View 6 Replies
View Related
Sep 3, 2015
I'm trying to set up a *simple* MTA in my local network. The only thing it should be able to do is send system / daemon mails to admin@mylocaldomain. but at the moment I'm pretty much overwhelmed by everything i *should* know in order to set up this MTA
my infrastructure:
- servers:
* test01.mylocaldomain --> should send mails (with exim) to admin@mylocaldomain
* dns01.mylocaldomain --> dns-server
* mail.mylocaldomain --> mail-server (postfix / iredmail package)
I configured exim to be in "internet"-mode. now i have a variety of errors I can choose from (and a variety of solutions that i don't like ).. my test is always an email from test01.mylocaldomain:
echo "Hello World" | mail -s Testmail admin@mylocaldomain
- after running the config, i get the error: admin@mylocaldomain: all relevant MX records point to non-existent hosts --> google says, edit and udpate update-exim4.conf.conf --> dc_relay_domains='mylocaldomain' --> but this exim installation should not be a relay at all. it should only be able to SEND (to this domain), not deliver it. or do i get something wrong?
- after i added dc_relay_domains='mylocaldomain', i get --> SMTP error from remote mail server after RCPT TO:<admin@mylocaldomain>: host mail.mylocaldomain [192.168.x.x]: 550 5.1.1 <root@mylocaldomain>: Sender address rejected: User unknown in virtual mailbox table --> but i don't want to create an account on the mailserver for the SENDER...
- ...so i thought, i'd config exim with the domain "test01.mylocaldomain" (including the server name), so that the sender is clearly from another domain than the mail server handles (e.g. user@test01.mylocaldomain).. but then i get this --> SMTP error from remote mail server after RCPT TO:<admin@mylocaldomain>: host mail.mylocaldomain [192.168.x.x]: 450 4.1.8 <root@test01.mylocaldomain>: Sender address rejected: Domain not found
I really just wanna send mails in my local network.
View 0 Replies
View Related
Jul 19, 2010
Currently I'm looking into implementing mod_security on all our apache servers. The installation on CentOS 5.5 comes directly with the "Core Rule Set" by the mod_security devs (curiously Debian and Ubuntu do not carry these) They also offer the Enhanced Rule Set for mod_security in a commercial package [URL] The main point there in their info link is the first point
Quote:
Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard However acc. to this wiki article ( http://en.wikipedia.org/wiki/Payment...urity_Standard ) that specific requirement isn't stated anywhere, as well as my colleague who's working on the PCI-DSS compliance for our code/servers/etc. mentioned that he hasn't heard of this specific requirement either. So my question would be if anyone has any experience with their ERS package and if it's needed for the PCI-DSS compliance compared to the requirements given in bullet points @ wiki article.
View 2 Replies
View Related
Jan 21, 2010
If you use Tor, you're cautioned to update now due to a security breach. In a message:URL.. on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: "In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers." Tor users should visit the download page and update ASAP!URL...
View 1 Replies
View Related
Jun 30, 2010
I've had a password on my 10.04 installation since I installed it (when it was released) and since last week it has disappeared. My computer seems to log in automatically. When I check the login screen settings, it is set to "show the screen for choosing who will log in".
View 5 Replies
View Related
Jun 1, 2011
I would like to know how to protect networks against VPN attacks? How does big industries do it? What does the government tend to use? Are any tools open source that I may get?
View 1 Replies
View Related
Dec 30, 2008
I fear that an attack or an entry in my PC has occured, how to find the trace of the attacks.
View 3 Replies
View Related
Jan 25, 2011
recently my Apache server crashes very often; by watching the error log,I've notice several signs of intrusion.So, I think the problem can be a denial of service attack against my machine.My distribution is Debian Lenny.
View 2 Replies
View Related
Apr 12, 2010
I'm trying to implement this method to block php injection attack using fail2ban: here it is, however I'm not sure it applies to Ubuntu. You see, there's this filter that must be added to the fail2ban jail file:
HTML Code:
[php-url-fopen]
enabled = true
port = http,https
filter = php-url-fopen
[Code]....
View 7 Replies
View Related
Jan 6, 2011
Given that my public key is a pre-shared secret is sshd made in a way that this negates the possibility of a man in the middle attack? In other words, if the known_hosts file were to be deleted, would it be safe to ignore the fingerprint of a server that already has my public key in authorized_keys?
View 5 Replies
View Related
Nov 10, 2010
With the disappearance of an OS monoculture, attackers would do well to find attacks that are neither OS or application specific. One way to do that, of course, is to target attacks at hardware, rather than software. Now research out of Frances Ecole Superiore d'Informatique, Electronique, Automatique (ESIEA) moves a step closer to that goal: identifying a method for isolating the processor used by anonymous systems for the purpose of subverting that hardware.
View 2 Replies
View Related
Dec 14, 2010
I launched my website. At the moment the site has an firewall (iptables) enabled with very simple rules. All incoming traffic is blocked, except for the ports http and ssh. Everything is working perfect, but I want also to be able to block certain kinds of attacks. There are some really good examples on the internet, but I don't now if they contain all kinds of attacks which are relevant to my situation. To be clear, I only server web content through port 80 and use ssh to remote login.
View 3 Replies
View Related
Jan 27, 2011
I need to do a pentest on a Microsoft IIS webserver to test the efficiency of the HIPS i have installed on. methods to simulate attacks so that i can check if the HIPS will detect them?
View 4 Replies
View Related
May 6, 2011
I am ashamed that I am causing other people troubles, but apparantly my server is involved in attacking the servers of other people.
I have to admit that I am not too familiar with using a CLI, or Linux for that matter, but I have a Debian server running under Plesk 10, which is colocated.
Now I have received messages from the datacenterm which state that my server is involved in brute force attacks.
The messages show a lot of lines like this:
Code:
The only I get from my hoster is to back up all domains and re-install the machine.
I want to resolve this asap, but do not agree with that action for two reasons: the machine just had a fresh re-install 2 months ago, so if it is a flaw in the OS, I will get the same flaw back, and if it is not OS related but due to a domain, I will get the problem back by putting back the backed-up domains.
But now I'm stuck: what steps should I follow to try and find the cause of this evil and make sure that my machine will not bother other machines anymore?
I realize that this probably will be a steep learning-curve, but please bare with me and help me to resolve this.
What have I done so far?
1) There are a number of live sites on this server, either running WordPress or Joomla, I have made sure they are all updated to the latest release.
2) I have manually looked at the source code of the index-files of those sites, haven't seen anything strange, like redirects.
3) I have used online scanners to check all sites for malware, all have been reported back to be clean.
4) I have run the Plesk-version of RKhunter, and that gives me certain warnings which I cannot (or do not) understand:
Code:
Code:
Code:
I received the first report of these attempts about a week ago and immediately changed the Plesk/SSH password to a 200bit password generated with KeePass, hoping that would keep out any evildoers.
View 14 Replies
View Related
May 20, 2011
I'm running a Squeeze minimal install. I don't need exim4, which got installed with the base net-install (I think). So I did
#apt-get remove exim4
and it said it had done it. However, recently I noticed during bootup that there was a line that said "Starting MTA: exim4". Then, another time I did apt-get update and apt-get upgrade, and it wanted to upgrade three exim4 packages. So I thought "Hmm- exim4 must have come back." However, apt-get remove exim4 gets a "It ain't installed" (or words to that effect) response. "Find exim4" gets a list of about 40 files, including /usr/sbin/exim4, /usr/lib/exim4/ /usr/share/exim4, /etc/init.d/exim4, and a whole raft of config and man files. I've done apt-get purge exim4, and I'm now at my wits end- what on earth is going on? Can't apt-get do it? Might Aptitude (never used it) do it? (Don't have Synaptic installed- I try to keep as minmal as possible, it's an old machine.)
View 8 Replies
View Related
Mar 5, 2011
I'm using Debian 6 to host a website (with apache2) and a game server. But because of attacks to my server, my hosting company have now set it offline.
These are the two logs that they provided (I replaced all IPs):
Direction IN
Internal ***.***.***.***
[code]....
View 4 Replies
View Related
Jun 13, 2010
Having never used it, I did an apt-get remove --purge exim4this morning. Deborphan doesn't show any orphaned packages. But, I see a 44K file lingers as per below.
rooster@royrogers:~$ su
Password:rooster@royrogers:~$ su
Password:
[code]....
View 7 Replies
View Related
Oct 28, 2010
I recently P2V'd a debian box, and the aliases file (/etc/aliases) is no longer working. As the physical machine is still working, this machien has been renamed to buzz1 [from buzz].
I changed /etc/mailname, /etc/exim4/update-exim4.conf.conf [and ran the update-exim4.conf script] and also ran newaliases. however it still does not seem to be applying the aliases file:
Live Physical Machine:
buzz:~# exim -bt root@buzz.domain.com
R: system_aliases for root@buzz.domain.com
R: smarthost for cronjobs@domain.com cronjobs@domain.com
<-- root@buzz.domain.com
[Code]....
View 7 Replies
View Related
Aug 20, 2010
Having successfully installed SANE and gotten a scan from my ancient Mustek scanner, I thought I had it setup. But that was running in the root terminal window. When I try to run xscanimage from GIMP in my normal user account it doesn't start up. Running xscanimage in a normal terminal it says it can't see any scanners. Yes, I added my user account to the scanner group. What else needs to be done to let a normal non-root user access the scanner?
View 4 Replies
View Related
Oct 14, 2009
Using exim4 only for sending email SMTP
I'd like to use Exim to remove the line header:
Received: from [111.111.111.111]
by HOSTNAME with esmtp (Exim 4.69)
what setting i should use and where should i put it in the exim4 configuration file, transport, router etc.
View 1 Replies
View Related
Sep 28, 2015
I have a "time-server". It's sending time to different devices through different ports/protocols. The problem is that it has no operator and that makes some extra difficulties.
Now when i try to start it using terminal Code: Select allsudo ./myprogram works fine and
Code: Select all./myprogram doesn't work.
It is so because without sudo i have no access to ports. As a result If i add my program to System->Preferences->Startup Applications it has the same problem. So i need to start it as root, auto-start, right after auto-login to system but without entering password cause nobody will do it.
Also I need to start ntpd but it also asks password sometimes I've tried googles but it offer a few ways with entering password that isn't suitable for me or writing some scripts/changing system files but with no example I'm afraid to break it all. So is there a way to start Myprogram and NTPD as root with no password entering?
My system is Debian 6.0.10 Squeeze, Kernel 2.6.32-5-686
View 12 Replies
View Related
Oct 28, 2015
Installed Debian 8.2 a while back, and I've been having issues with getting the machine to suspend correctly. If I try to put it to sleep when logged in to my regular user account the screen just goes black and then the computer hangs. However if I put it to sleep as root everything works fine. I do this by running this command (as root):
Code: Select allsystemctl suspend
What can I do about this? Worked fine on Debian wheezy..
Btw, just found this in the dmesg log. Connected perhaps..?
Code: Select all[ 6.863018] ACPI Warning: SystemIO range 0x00000000000018e0-0x00000000000018ff conflicts with OpRegion 0x00000000000018e0-0x00000000000018ef (\_SB_.PCI0.SBUS.SMBI) (20140424/utaddress-258)
[ 6.863028] ACPI:
If an ACPI driver is available for this device, you should use it instead of the native driver
View 7 Replies
View Related
Jan 27, 2016
I think my root drive is 100% full causing strange problems with my video server. What steps can I use to see what's taking up the room on the drive and perhaps identify files that can safely be deleted?
Code: Select allroot@lenny:/# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda2 55G 53G 0 100% /
udev 10M 0 10M 0% /dev
tmpfs 793M 1.1M 792M 1% /run
[code]...
View 14 Replies
View Related
Feb 11, 2010
For my dissertation I created a debootstrap install of Lenny. When I boot this system I just can login with root without a password. When I want to ssh this machine with the debootstrap install I can't just login with root. I'm asked for a password which I don't have.
So I created one with passwd root and after that I can connect to the machine with ssh and the given password. But the machine still logs in with without a password.
View 3 Replies
View Related
Jan 17, 2011
I'm configuring some security and i'd like to run arpon to a specific device everytime wicd connects.So, if Wicd connects to a wireless, i'd launch gksu arpon -d -i eth2 (for example.) But this doesn't work, because it seems that gksu only works for X apps.I found that if i do: gnome-terminal -e 'sudo arpon -d -i eth2' It works, but it leaves me with a terminal window open, and i'd like to be asked for a password gksu style.I've also tried this: gksu -- arpon -d -i eth2which also works, but the program quits right after it's started.Am i missing something here?
View 14 Replies
View Related
Feb 17, 2011
We have setup Squeeze a Test machine , just for some tests, without network, Internet etc. and we need to allow root login in Gnome.
We've changed /etc/gdm3/daemon.conf:[security]
AllowRoot=truebut still doesn't work.
View 4 Replies
View Related
