- Netflow Solutions
Exim4 is a popular open source email server often used by organizations using the Linux platform for their critical services. Version 4.69 of this package is vulnerable to a remote buffer overflow exploit that will give the attacker control of the user running the Exim4 software. This vulnerability was being exploited far before the software bug was discussed and fixed.
The most common exploit for this vulnerability relies on an initial large upload to the email server. This upload is over 50 megabytes in size, which is much larger than most acceptable emails. In fact, most email servers will reject emails larger than 10 megabytes.
By filtering on server port 25 (SMTP) and selecting client bytes at least 10 megabytes, we can find communications that are out of the ordinary for an email server. Here is a view from the session explorer:
Using the above filter we can quickly see that this exploit is being attempted by many systems all over the world, indicating a worm-like behavior. Before this attack became known, signature intrusion detection systems were unable to pick up on this. By selecting a timeframe of 3 or even 6 months back, we can see that this exploit has actually been around on for awhile! Check out the filter box:
Export CISCO NetFlow datagrams to up to 16 flow collectors. Flow Exporter captures 100% of the data in an easy-to-deploy way.
Download Now »
Advanced Threat Intelligence Services Added to FlowTraq Q2/13
Faster, more powerful, FlowTraq Q2/13 delivers detailed view of the potential network threats with NBI threat management and new threat intelligence service.
Have You Been Targeted by Chinese Espionage Units?
How to use Mandiant's Analysis and FlowTraq to Identify Threats: Mandiant's excellent analysis "APT1: Exposing One of China's Cyber Espionage Units" identifies a broad set of IP addresses...
Monitoring Your Security Measures: port knocking
Learn how to use knockd with FlowTraq to monitor security measures on SSH Server.