LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Exim logs spammed with large headers (https://www.linuxquestions.org/questions/linux-security-4/exim-logs-spammed-with-large-headers-862199/)

wulu 02-12-2011 04:12 AM
Exim logs spammed with large headers
 
Has anybody else seen this kind of attack?
I see those messages on 2 exim mailservers.
Looks as if someone sends a 50MB big mail header :S
What is their goal except from increasing my traffic?


Code:
2011-02-12 07:48:53 SMTP protocol synchronization error (input sent without waiting for greeting): rejected connection from H=ns33.medialook.net [91.121.108.5] input="GET / HTTP/1.1\r\nAccept: */*\r\nAccept-Language: en-us\r\nAccept-Encoding: gzip, deflate\r\nUser-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_1_3 like Mac "
2011-02-12 07:48:58 1Po9Hp-0006ZP-G0 rejected from <root@local.com> H=ns33.medialook.net (welcome.com) [91.121.108.5]: message too big: read=52719201 max=52428800
Envelope-from: <root@local.com>
Envelope-to: <postmaster@localhost>
  Header0000: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
  Header0001: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
...
  Header0054: VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV
*** truncated ***
Code:
zgrep welcome.com mainlog*
2011-02-12 07:48:58 1Po9Hp-0006ZP-G0 rejected from <root@local.com> H=ns33.medialook.net (welcome.com) [91.121.108.5]: message too big: read=52719201 max=52428800
2011-02-12 07:48:58 unexpected disconnection while reading SMTP command from ns33.medialook.net (welcome.com) [91.121.108.5]
2011-02-10 14:16:19 1PnWNa-00015o-4y rejected from <root@local.com> H=ns33.medialook.net (welcome.com) [91.121.108.5]: message too big: read=52718801 max=52428800
2011-02-10 14:16:19 unexpected disconnection while reading SMTP command from ns33.medialook.net (welcome.com) [91.121.108.5]
2011-02-10 15:38:09 1PnXek-00027J-Vk rejected from <root@local.com> H=vs242106.vserver.de (welcome.com) [62.75.242.106]: message too big: read=52720199 max=52428800
2011-02-10 15:38:09 unexpected disconnection while reading SMTP command from vs242106.vserver.de (welcome.com) [62.75.242.106]
2011-02-09 19:46:02 1PnF2d-0001VM-BG rejected from <root@local.com> H=usloft2185.serverloft.com (welcome.com) [173.224.120.221]: message too big: read=52719791 max=52428800
2011-02-09 19:46:03 unexpected disconnection while reading SMTP command from usloft2185.serverloft.com (welcome.com) [173.224.120.221]
2011-02-09 22:07:30 1PnHFx-0003NG-1Z rejected from <root@local.com> H=usloft2185.serverloft.com (welcome.com) [173.224.120.221]: message too big: read=52719791 max=52428800
2011-02-09 22:07:30 unexpected disconnection while reading SMTP command from usloft2185.serverloft.com (welcome.com) [173.224.120.221]
2011-02-08 22:44:45 SMTP connection from mail.parkcityhotel.ru (welcome.com) [193.138.176.4] lost while reading message data
2011-02-09 02:24:56 1PmxvT-0001Pt-PE rejected from <root@local.com> H=(welcome.com) [222.233.232.68]: message too big: read=52719018 max=52428800
2011-02-09 02:25:10 unexpected disconnection while reading SMTP command from (welcome.com) [222.233.232.68]
2011-02-06 07:27:02 1Ply5J-0000KI-2X rejected from <root@local.com> H=mailer0.quintessentially.com (welcome.com) [94.76.206.38]: message too big: read=52720791 max=52428800
2011-02-06 07:27:02 unexpected disconnection while reading SMTP command from mailer0.quintessentially.com (welcome.com) [94.76.206.38]
2011-02-06 13:52:52 1Pm46E-0006c7-68 rejected from <root@local.com> H=(welcome.com) [91.206.30.142]: message too big: read=52720819 max=52428800
2011-02-06 13:52:53 unexpected disconnection while reading SMTP command from (welcome.com) [91.206.30.142]
2011-02-05 12:30:56 1PlgLr-0000WM-7f rejected from <root@local.com> H=mailer0.quintessentially.com (welcome.com) [94.76.206.38]: message too big: read=52720191 max=52428800
2011-02-05 12:30:56 unexpected disconnection while reading SMTP command from mailer0.quintessentially.com (welcome.com) [94.76.206.38]
2011-02-05 13:51:38 1Plhbx-0001Y4-Ce rejected from <root@local.com> H=mailer0.quintessentially.com (welcome.com) [94.76.206.38]: message too big: read=52721991 max=52428800
2011-02-05 13:51:38 unexpected disconnection while reading SMTP command from mailer0.quintessentially.com (welcome.com) [94.76.206.38]
2011-02-04 16:13:50 1PlNLr-0006yE-Ou rejected from <root@local.com> H=mapscomm.com (welcome.com) [74.50.51.190]: message too big: read=52719207 max=52428800
2011-02-04 16:13:50 unexpected disconnection while reading SMTP command from mapscomm.com (welcome.com) [74.50.51.190]
2011-02-03 16:16:06 1Pl0ue-00023L-Oz rejected from <root@local.com> H=vs209185.vserver.de (welcome.com) [62.75.209.185]: message too big: read=52720799 max=52428800
2011-02-03 16:16:06 unexpected disconnection while reading SMTP command from vs209185.vserver.de (welcome.com) [62.75.209.185]
2011-02-03 19:19:07 1Pl3lm-0004Ps-Ki rejected from <root@local.com> H=mailer0.quintessentially.com (welcome.com) [94.76.206.38]: message too big: read=52720391 max=52428800
2011-02-03 19:19:07 unexpected disconnection while reading SMTP command from mailer0.quintessentially.com (welcome.com) [94.76.206.38]
2011-02-03 23:57:06 1Pl86n-0008Q4-F4 rejected from <root@local.com> H=dl169.dinaserver.com (welcome.com) [82.98.141.32]: message too big: read=52720199 max=52428800
2011-02-03 23:57:06 unexpected disconnection while reading SMTP command from dl169.dinaserver.com (welcome.com) [82.98.141.32]

wulu 02-12-2011 05:53 AM
guess I found it

CVE-2010-4344 exim remote code execution flaw
CVE-2010-4345 exim privilege escalation

only applies to exim versions prior to 4.70

http://www.exim.org/lurker/message/2...32d4f2.en.html

http://www.cvedetails.com/cve/CVE-2010-4344/

unSpawn 02-12-2011 06:02 AM
Thanks for posting back your findings! (I marked the thread solved.)

Noway2 02-12-2011 06:05 AM
Were you running a version prior to 4.70?
If so, and this has corrected your problem, would you please mark the thread as solved? Otherwise, if you are still having problems, we can start looking for other causes. As you have noticed, there is an active thread or two regarding exim exploits. If these upgrades didn't fix your problem, your contribution to the investigation might be beneficial.

Edit: already marked solved.

unSpawn 02-12-2011 06:08 AM
Quote:
Originally Posted by Noway2 (Post 4255982)
Otherwise, if you are still having problems, we can start looking for other causes. As you have noticed, there is an active thread or two regarding exim exploits. If these upgrades didn't fix your problem, your contribution to the investigation might be beneficial.
I agree (and next time I'll wait before marking it solved a wee bit longer).

@wulu: please see http://www.linuxquestions.org/questi...eaders-837856/


All times are GMT -5. The time now is 02:45 PM.