Patch your exim servers people

It’s real.

Remotely using the exploit does not require holding a connection open for 7 days.

Part of my job involves helping other people manage their exim servers.

From the proof of concept that Qualys released, I was able to perform a remote exploit against a very common exim configuration used on hundreds of thousands (if not millions) of servers within just a few minutes of testing.

The worm they describe is very real, and has been a nightmare to deal with at work because so many people have unpatched servers. I’ve personally seen dozens of these compromised servers. They’re all the same, down to the cron jobs, malware binary /usr/bin/[kthrotlds], removed all keys from /root/.ssh/authorized_keys except their own + chattr the file, and some other stuff (like malware at /root/.cache/.ntp IIRC).


Leave a Reply