Update exim urgently to 4.92 - an active infection is in progress

Colleagues who use Exim versions 4.87 ... 4.91 on their mail servers - urgently update to version 4.92, after having stopped Exim itself to avoid hacking via CVE-2019-10149.

Potentially vulnerable to several million servers worldwide, the vulnerability is rated as critical (CVSS 3.0 base score = 9.8 / 10). Criminals can run arbitrary commands on your server, in many cases from the root.

Please make sure that you use the corrected version (4.92) or the already patched version.
Either patch the existing one, see the comment branch immaculate .

Update for centos 6 : see the comment Theodor - for centos 7 it also works, if it hasn't flown directly from epel.
')
UPD: Ubunt affected on 18.04 and 18.10 , an update has been released for them. Versions 16.04 and 19.04 are not affected, if only custom options are not installed on them. More on their official website .

Opennet Issue Information
Information on the Exim website

Now the problem described there is being actively exploited (by a bot, I suppose), I noticed an infection on some servers (running at 4.91).

Further reading is relevant only for those who have already "got" - it is necessary either to transport everything to a clean VPS with a fresh software, or to look for a solution. Let's try? Write if someone can overcome this malware.

If you, being an Exim user and reading this, are still not updated (you were not convinced that 4.92 or the patched version is available), please stop and run to update.

For those already hit, let's continue ...

UPD: supersmile2009 found another type of malware and gives the right advice:

There can be a great many malware. Having started the medicine by not having cleaned the queue and the user will not be cured and may not know what he needs to be treated for.

Infection is noticeable like this: [kthrotlds] loads the processor; on weak VDS by 100%, on servers it is weaker but noticeable.

After infection, the malware deletes the entries in cron, registering there only itself in the launch every 4 minutes, while the krontab file is immutable. Crontab -e cannot save changes, gives an error.

Immutable can be removed for example, and then delete the command line (1.5kb):

chattr -i /var/spool/cron/root
crontab -e

crontab (vim) :dd
:wq

- , .

wget' ( curl') (. ), , :

ps aux | grep wge[t]
ps aux | grep cur[l]
echo "Stopping..."
kill -9 `ps aux | grep wge[t] | awk '{print $2}'`
kill -9 `ps aux | grep cur[l] | awk '{print $2}'`

(centos): /usr/local/bin/nptd… , shell , .

.

UPD 1: ( chattr -i) /etc/cron.d/root, /etc/crontab, rm -Rf /var/spool/cron/root , — (bin- ).

UPD 2: , :
find / -size 19825c

UPD 3: ! selinux SSH- ${sshdir}/authorized_keys! /etc/ssh/sshd_config, YES:
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
echo UsePAM yes
PasswordAuthentication yes

UPD 4: : exim, cron ( ), ssh sshd, sshd! , .

/ , .

UPD 5: AnotherDenni WordPress.

UPD 6: Paulmann , ! , .

( ) , , .

UPD 7: clsv :

exim, , /var/spool/exim4

exim :
exipick -i | xargs exim -Mrm
:
exim -bpc

UPD 8: AnotherDenni: FirstVDS , !

UPD 9: , !

- ( ) .

(vds), — - , , .. …

UPD 10: clsv: , Raspberry Pi, … , .

UPD 11: « »:
( )

— - , , , 30

UPD 12: supersmile2009 exim (?) , .

UPD 13: lorc , , .. , .

UPD 14: — clsv:

… OrangePi debian jessie UPD: stretch, exim Debian-exim , .

UPD 15: , w0den:

, (, MySQL CREATE TRIGGER CREATE EVENT). , .html, .js, .php, .py ( , , ).

UPD 16: daykkin savage_me : exim, .

!

exim --version

.

DirectAdmin da_exim ( , ).

DirectAdmin' custombuild exim, .

custombuild.

, / exim «» .