Comments | beowabbit: lists.aq.org and polyboston.org temporarily down

beowabbit

lists.aq.org and polyboston.org temporarily down

Jan 09, 2011 12:19

Hi. This does NOT affect my personal mail, or the personal mail of other individuals with @aq.org addresses.

lists.aq.org and polyboston.org are temporarily down due to a breakin. Unfortunately I wasn’t able to spend the time to fix things when I found out so I just shut the server down. I’ll be able to look at it tonight and I’m pretty sure I’ ( Read more... )

tech, psa

Comments 5

chienne_folle January 9 2011, 20:56:34 UTC

Ick. Sorry you have this to deal with!

beowabbit January 10 2011, 07:14:41 UTC

Thanks! Have made enough progress to go to bed.

darxus January 14 2011, 21:03:56 UTC

What vulnerability?

beowabbit January 19 2011, 15:41:02 UTC

I don’t have the CVE links handy, but an Exim vulnerability that allows a very long header to write to any place Exim can write to, and then invoke Exim with the resulting file as a config file -- so essentially it gets you remote root. I haven’t done forensics yet on the old image, but what called my attention to it was segfaults in normal commands called out of cron, so there was clearly a rootkit on it.

darxus January 19 2011, 18:12:42 UTC

Ewww. Thanks. I'm... displeased that I managed to not be aware of that.

The first several hits here are relevant: http://www.google.com/search?q=exim+vulnerability

And: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2023

I had even opened the email from debian-security-announce about it, but apparently haven't been paying enough attention to them.