Re: mail log oddity
I had the same IP connect to me, with the same failed-command. -peter On 2020-06-12 02:02, Edgar Pettijohn wrote: On Thu, Jun 11, 2020 at 04:26:37PM -0700, Niklas wrote: I'm curious what this would actually accomplish on a vulnerable server. There's no path or executable its trying to find in its iterations. This looks more like an arbitrary shell command meant to act as a scan/test to find vulnerable servers without fully leveraging the exploit. If you had the IP it originates from it could tell you a lot.On Jun 10, 2020 8:08 PM, Ryan Kavanagh wrote: 61.148.74.134 Edgar On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote: Saw this in the maillog today. Any ideas what they are trying to do? ?? 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid command: Must issue an AUTH command first" My guess is that they're trying to exploit CVE-2020-7247. Search the advisory text for that command: https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt Best, Ryan
Re: mail log oddity
On Thu, Jun 11, 2020 at 04:26:37PM -0700, Niklas wrote: > I'm curious what this would actually accomplish on a vulnerable server. > > There's no path or executable its trying to find in its iterations. This > looks more like an arbitrary shell command meant to act as a scan/test to > find vulnerable servers without fully leveraging the exploit. > > If you had the IP it originates from it could tell you a lot.On Jun 10, 2020 > 8:08 PM, Ryan Kavanagh wrote: 61.148.74.134 Edgar > > > > On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote: > > > Saw this in the maillog today. Any ideas what they are trying to do? > > > > > >?? 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 > > >2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 > > >Invalid command: Must issue an AUTH command first" > > > > My guess is that they're trying to exploit CVE-2020-7247. Search the > > advisory text for that command: > > > > https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt > > > > Best, > > Ryan > >
Re: mail log oddity
I'm curious what this would actually accomplish on a vulnerable server. There's no path or executable its trying to find in its iterations. This looks more like an arbitrary shell command meant to act as a scan/test to find vulnerable servers without fully leveraging the exploit. If you had the IP it originates from it could tell you a lot.On Jun 10, 2020 8:08 PM, Ryan Kavanagh wrote: > > On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote: > > Saw this in the maillog today. Any ideas what they are trying to do? > > > > 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 > >3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid > >command: Must issue an AUTH command first" > > My guess is that they're trying to exploit CVE-2020-7247. Search the > advisory text for that command: > > https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt > > Best, > Ryan >
Re: mail log oddity
They are a little late.Edgar On Jun 10, 2020 10:08 PM, Ryan Kavanagh wrote:On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote: > Saw this in the maillog today. Any ideas what they are trying to do? > > 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid command: Must issue an AUTH command first" My guess is that they're trying to exploit CVE-2020-7247. Search the advisory text for that command: https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt Best, Ryan
