Log in

No account? Create an account
Now mostly on Facebook (and rarely caught up even there)
lists.aq.org and polyboston.org temporarily down 
9th-Jan-2011 12:19 pm
Geek: Mac 64
Hi. This does NOT affect my personal mail, or the personal mail of other individuals with @aq.org addresses.

lists.aq.org and polyboston.org are temporarily down due to a breakin. Unfortunately I wasn’t able to spend the time to fix things when I found out so I just shut the server down. I’ll be able to look at it tonight and I’m pretty sure I’ll at least be able to get the mailing lists (if not the full polyboston.org web site) up fairly quickly.

(This was an oversight on my part; the breakin was due to a known vulnerability that I fixed systematically on my physical servers at home but neglected to fix on my colocated virtual server.)
9th-Jan-2011 08:56 pm (UTC)
Ick. Sorry you have this to deal with!

10th-Jan-2011 07:14 am (UTC)
Thanks! Have made enough progress to go to bed.
14th-Jan-2011 09:03 pm (UTC)
What vulnerability?
19th-Jan-2011 03:41 pm (UTC)
I don’t have the CVE links handy, but an Exim vulnerability that allows a very long header to write to any place Exim can write to, and then invoke Exim with the resulting file as a config file -- so essentially it gets you remote root. I haven’t done forensics yet on the old image, but what called my attention to it was segfaults in normal commands called out of cron, so there was clearly a rootkit on it.
19th-Jan-2011 06:12 pm (UTC)
Ewww. Thanks. I'm... displeased that I managed to not be aware of that.

The first several hits here are relevant: http://www.google.com/search?q=exim+vulnerability

And: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2023

I had even opened the email from debian-security-announce about it, but apparently haven't been paying enough attention to them.
This page was loaded Nov 19th 2017, 4:13 pm GMT.