The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

exim attacked

Discussion in 'Security' started by nyoman, Aug 30, 2013.

  1. nyoman

    nyoman Active Member

    Joined:
    Nov 25, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Hello all,

    I was frustrating with our Hosting support, they does not do anything with my problem (more then 7 days, just respond with "We are requesting the data center mitigate the attack.")

    Ok, here is the problem.

    My server was attacked on smtp/exim services, this make our mailserver busy and the "real" mailserver and our client sometimes got time out message, some email come too late, more then 25 minutes - 1 days (24h).

    For temporary solution i was increase the smtp_accept_max = 200

    On the exim_mainlog i was found many error, some of them is like this:

    Code:
    2013-08-23 16:07:42 SMTP syntax error in "r\227`\363&\204\335\230u\261\377+\b[w\307\032\203\026\\024\374\3770\355\027\030\311\0039\263_\222\351.\371\2227\223\221gZ\257'\250\246\222\300\265Z\020Y\265\250t\361M\306\r\211\276\261Z p\233&\270\362\345\210Q\025m=\350\341"<\200\373<\323\030E\366\323\257\223\250\320H\202\227\037\337NM\036w\335\375\231\020Z\324\332\255\362\361sE\313\r\214\335<\371\330t\356\342\244\f\373\226"\245+\204\360;\021\006"\324\275?\247u\320\243k\004t\254\370\2414w\0034\313\031w\321\313g\333i\367[\255\376\356<\364\230\324\276%1\004\254\363\307\214\305D``\225\235n\277\236\267\005\215T\244&=>p\276\241\303\243UU\255o\355\372\024\350\3739}\005\036uU\3311\220o^S\234#\334\353\357I\372\200\363\220Z\033 \262\365\261m7)IFSA\341\267>\216x\252&\331\020\033\022&\250\364->@r\177\244\327\313\241o|\214\347\237\b\346\204\220\247X\353\0029\0334\344\322\247\316\271/;\363V\305\v\242Q_Q\030\353WZ\323l\356\003P\033\210\250\323\315\037}\366\351\265'\024\203M<\2243\346\206M4}\031\367\253\030\031E\020\261c\376\020Hy\037\254\336\307\321\250w8\275\365\016h\252\303\245\032\224\217=\202\022\277\326\234,Vo?Jq\b??\356\2362\360lCQ\241\350\334LXhto\337m\v\357\0375\246U\257\262;%\362\312\3264-\205\354\200\257\250\213\026g\233\2446T\366\271\321\036TE\257 NmO>\226\004\215y\240\v\354\017\2554\307+\305\314\247\264\202\322\366\366\327\376\006\024q\226[\223\333.\3046\225\314aM*f\313?b\376(hM\r\305\b\r.\332\217\301\304\026D#\\226\217\334\365\262c\374\346\275\002$$JPB\2743"\341\255\231\263\327I\216\233K\207\246\265\342\037AQR\277\275\347IQ\004\310\225q\304\017\361\205P\313>\236N=8\024\375-1O\251\243\333\352\202\237\361\002?\021Z\032U\026\311\267Dk\007O\255\302\312f7\241\266\177Ki\002\362H*\020\rn\2454!rm \274$\227\354S\326\240\272k\266V\271\003U@\205\233a\364\0024\322\337O\313\325\307\232c\305\025\377\373\264\021\264\253\200\307\262C\327\346\314\332\344\232Js\263\316\037\023>f\235*\020\227\373\246\205\234\Y\303\353Q\366\035\032D\017\220I''k\266\306?\376MQS\230\263W\353\337?\261\222\272\0220*\177h\254\303\312}H\344!?\024y\211\275C\022!\333\334\251Q\310\252@\372DY\332\003?\333p@S\302\007t9\214\240\366\203\35693\327\325\320M\361li\330\250\354?\313\2207\231\373}\0050_\2436G\367 \322^\320<\352\366N\216P\216\255\254\310B\206\310\340\332`\303\037|\0364\336" 
    And OK, i found this link http://forums.cpanel.net/f43/exim-acl-block-buffer-overflow-attempts-353841.html that said my exim was not vulnerable. And i can hide the error message from the log.

    But this is not prevent my server from the attacker. From the log i still found many error log like this:

    Code:
    (n139';;H©°#j:13:15 SMTP call from host-87-75-193-31.dslgb.com [87.75.193.31]:20890 I=[198.x.y.z]:25 dropped: too many syntax or protocol errors (last command was ýü
                 -j
    ìǾçVÒ
    g5zH¬<©b·%0ñ;Ç&øÖ"[½óµÏL¡¨Ê@BÜݾYaDËÔrÆÚa zæ
                          Õ@Àæq¬Ê<ëæµ²æ  b  4¹****Ôu")
    Is there any way to block all those IP to connect to the server ?

    For temporary i was block it use iptables;
    for X in `grep "dropped: too many syntax or protocol errors" /var/log/exim_mainlog |cut -d'[' -f2 |cut -d']' -f1 |sort |uniq`; do iptables -A INPUT -s $X -p tcp --dport 25 -j DROP; done

    I want something automatically, i was try fail2ban but i not very expert on perl or other language/scripting.

    Thanks for your help


    Nyoman
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    30,811
    Likes Received:
    671
    Trophy Points:
    113
    cPanel Access Level:
    Root Administrator
    Hello :)

    Mitigating the attack from the data center may be the best way to resolve this issue. However, there is a user-submitted alternative solution posted on the following thread:

    Sustained Exim Attack

    Thank you.
     
  3. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    I posted another regex in that thread that should work for you.

    Also, you may want to adjust logrotate settings to rotate daily instead of weekly, as this attack can create extremely large exim logs.
     
  4. nyoman

    nyoman Active Member

    Joined:
    Nov 25, 2008
    Messages:
    27
    Likes Received:
    0
    Trophy Points:
    1
    Thanks Michael.

    Thanks quizknows, i hope this one is working.
     
Loading...

Share This Page