lists.aq.org and polyboston.org temporarily down

[beowabbit]

Hi. This does NOT affect my personal mail, or the personal mail of other individuals with @aq.org addresses.

lists.aq.org and polyboston.org are temporarily down due to a breakin. Unfortunately I wasn’t able to spend the time to fix things when I found out so I just shut the server down. I’ll be able to look at it tonight and I’m pretty sure I’ll at least be able to get the mailing lists (if not the full polyboston.org web site) up fairly quickly.

(This was an oversight on my part; the breakin was due to a known vulnerability that I fixed systematically on my physical servers at home but neglected to fix on my colocated virtual server.)

Comments

[chienne-folle.livejournal.com]

Ick. Sorry you have this to deal with!

[beowabbit]

Thanks! Have made enough progress to go to bed.

[darxus.livejournal.com]

What vulnerability?

[beowabbit]

I don’t have the CVE links handy, but an Exim vulnerability that allows a very long header to write to any place Exim can write to, and then invoke Exim with the resulting file as a config file -- so essentially it gets you remote root. I haven’t done forensics yet on the old image, but what called my attention to it was segfaults in normal commands called out of cron, so there was clearly a rootkit on it.

[darxus.livejournal.com]

Ewww. Thanks. I'm... displeased that I managed to not be aware of that.

The first several hits here are relevant: http://www.google.com/search?q=exim+vulnerability

And: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2023

I had even opened the email from debian-security-announce about it, but apparently haven't been paying enough attention to them.