One of our cPanel servers has been getting bombarded by a (mostly) LACNIC botnet attempting an (presumed) antiquated buffer overflow exploit for versions of Exim < 4.7. Since our server is running 4.80.1 I believe the attempts have been successfully thwarted, however this has created another problem: exim log size.
Understand that so far, since log rotation on Sunday, over 52000 unique IPs have made these buffer overflow attempts - some only 2 or 3 attempts, others thousands. Each time one does it creates log entries similar to this (this has been washed through 'strings' to make it more human friendly):
This is resulting in incredibly large log files that are actually causing some disk space concerns. Of course I could increase the amount of disk space available to /var, or I could change log rotation schedules. But I would like to find a more eloquent solution. My ideas are:
Unfortunately, I do not know how to do either of these things, and the google searching I've done has not yielded results that I can easily comprehend. I've also gone through the Exim documentation on ACL's and there too I cannot quite grasp how to do either of these things.
So I turn to you, cPanel community at large (and any cPanel techs that might stumble upon this). Would anyone be able to offer advice on how to accomplish either of the above, or perhaps offer an alternative solution to the problem?
I thank you in advance for your time and consideration.
Understand that so far, since log rotation on Sunday, over 52000 unique IPs have made these buffer overflow attempts - some only 2 or 3 attempts, others thousands. Each time one does it creates log entries similar to this (this has been washed through 'strings' to make it more human friendly):
Code:
2013-07-10 19:39:58 [4927] SMTP syntax error in "\235\3112\225F\370|\226\322" \0167J\001\230\270\214\340\227\274\307l\017\245k\302\020\225S\220\231\342\205\344\234\246\262\257\235*L\025\236(\257\243\234\247G \235\007\023\305\237}F\315\236\271\017\303\240t\270\344\237 =\003\240#;\202\240\247\324\361\2427j\314\241.\325\241\242\371]\222\244\271f\312\242\3530|\243!\311\341\243\305\311&\245\240\303^\245\261d\004\035kns\036}\212\016\247\350\272\331\252\024\032\305\250;\354\244\226A\202\211\251fE<\252*\262T\252\005}\006\253\270~,\254\222k7\003Gmq\255\345?\264\255\272\333\300\256Vp\177\256\177\242\313\2563^k\257\201\302\003\260\226\2166\260]\317\224\260\316V\214\261y\224\376\f:\226D\262\244\306\017\263\022=\020'\256\205\207\266\274/\234,\277\313=\2703"#\2669]\257-\277'a.3Q\354\267s\351Q\270N\241p\271\232\005 \272 |\265\271Q\026\033\272dF\233-\255D\346\272f\023\337\273\301\335\220\274\343\017\335\274\021n\255\275IA\237\276\3564\321\277\034\003\220\300>\302 \302\033['\301a\277\206\303B\236=\035\004\034\236\304\300\216\357\302!\267\202\305+\277\272\303\037\232\3677\272!\322\304\007\206\2368\373\331o\306\177\254|\310\347\272\3769\027\354Z:\224s,\312\266g{;\364E\026\311|.+=s=\314%\337\330\370\312\323,\376\313{\241]?\351\373\b\317=\224n\3170\217\353\320\261\255lB\333CdD|\315\363*\371V\233\322\336]\323\320 \R\321\227\352\376\323bZ\321\321j\265\260\324K\264/\325J\207\232\323\315\203\230\324?\253\252\327|\371\217I\367\256AJ\023{\023\327\203Z&K||\2253d\005=\333C\317\356\333~\244\332\331\245\326&\332A\314\354\334V>\233\333\261\bM\334\021-\203\336\3673\273\334\330\216\232\337\324\234\bQ\240b\005\336m\275\344\340?Qw m\267\340\342afcT\346\027\004\f\346R|\342&\232)V\223\266;Z\221\201'W\307\031,\344 \344\335\344b\342\\345\376\327"\3502p\210\350\030w\300\346/\023\002\3502\321\036\352\v\253\260_\365\ `Cub`\023\203\352a\022\363\231iS\341\033j\032\354\351b\357\311N\354W\372\031\355\346\1\356\r\217}\356A'\343\356\202%b\357\266\275\307\357+T\254\360lR+\361\336\266\303\361\342\350\017\362"\347\216\362o\254\204\363\320K'\363\260I\246\363\377L\341\363\211\263\344k^\3450l\334t\356\365*\331\206\366i\247\024\370s\200\312k\226\342Kx\353\002\347p)\\254\374fc\344\372H'^\375b\007Br\353\375{\376N\220\255\374\222a\206t\241v\352tt)8uwm\215v\242\355A\377" H=[190.42.187.64]:49322 I=[64.140.224.205]:25 NULL character(s) present (shown as '?')- Exim logging tweak - configure the Exim logging facility in such a way as to not log errors when 'syntax errors' or 'too many unrecognized commands' is encountered. (Currently it is set to log_selector = +all)
- Exim ACL - Build an ACL that says something like 'too many errors like the above, ban the IP'.
Unfortunately, I do not know how to do either of these things, and the google searching I've done has not yielded results that I can easily comprehend. I've also gone through the Exim documentation on ACL's and there too I cannot quite grasp how to do either of these things.
So I turn to you, cPanel community at large (and any cPanel techs that might stumble upon this). Would anyone be able to offer advice on how to accomplish either of the above, or perhaps offer an alternative solution to the problem?
I thank you in advance for your time and consideration.
Last edited:
