Re: mail log oddity

2020-06-11 Thread Peter J. Philipp

I had the same IP connect to me, with the same failed-command.

-peter

On 2020-06-12 02:02, Edgar Pettijohn wrote:

On Thu, Jun 11, 2020 at 04:26:37PM -0700, Niklas wrote:

I'm curious what this would actually accomplish on a vulnerable server.

There's no path or executable its trying to find in its iterations. This looks 
more like an arbitrary shell command meant to act as a scan/test to find 
vulnerable servers without fully leveraging the exploit.

If you had the IP it originates from it could tell you a lot.On Jun 10, 2020 8:08 PM, 
Ryan Kavanagh  wrote:

61.148.74.134

Edgar


On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote:

Saw this in the maillog today. Any ideas what they are trying to do?

?? 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 3 4 5 6 7 8 9 a b c 
d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid command: Must issue an AUTH command 
first"

My guess is that they're trying to exploit CVE-2020-7247. Search the
advisory text for that command:

https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt

Best,
Ryan





Re: mail log oddity

2020-06-11 Thread Edgar Pettijohn
On Thu, Jun 11, 2020 at 04:26:37PM -0700, Niklas wrote:
> I'm curious what this would actually accomplish on a vulnerable server.
> 
> There's no path or executable its trying to find in its iterations. This 
> looks more like an arbitrary shell command meant to act as a scan/test to 
> find vulnerable servers without fully leveraging the exploit.
> 
> If you had the IP it originates from it could tell you a lot.On Jun 10, 2020 
> 8:08 PM, Ryan Kavanagh  wrote:

61.148.74.134

Edgar

> >
> > On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote: 
> > > Saw this in the maillog today. Any ideas what they are trying to do? 
> > > 
> > >?? 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 
> > >2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 
> > >Invalid command: Must issue an AUTH command first" 
> >
> > My guess is that they're trying to exploit CVE-2020-7247. Search the 
> > advisory text for that command: 
> >
> > https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt 
> >
> > Best, 
> > Ryan 
> >



Re: mail log oddity

2020-06-11 Thread Niklas
I'm curious what this would actually accomplish on a vulnerable server.

There's no path or executable its trying to find in its iterations. This looks 
more like an arbitrary shell command meant to act as a scan/test to find 
vulnerable servers without fully leveraging the exploit.

If you had the IP it originates from it could tell you a lot.On Jun 10, 2020 
8:08 PM, Ryan Kavanagh  wrote:
>
> On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote: 
> > Saw this in the maillog today. Any ideas what they are trying to do? 
> > 
> >  249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 
> >3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid 
> >command: Must issue an AUTH command first" 
>
> My guess is that they're trying to exploit CVE-2020-7247. Search the 
> advisory text for that command: 
>
> https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt 
>
> Best, 
> Ryan 
>


Re: mail log oddity

2020-06-11 Thread edgar
They are a little late.Edgar On Jun 10, 2020 10:08 PM, Ryan Kavanagh  wrote:On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote:
> Saw this in the maillog today. Any ideas what they are trying to do?
> 
>  249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid command: Must issue an AUTH command first"

My guess is that they're trying to exploit CVE-2020-7247. Search the
advisory text for that command:

https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt

Best,
Ryan



Re: mail log oddity

2020-06-10 Thread Ryan Kavanagh
On Wed, Jun 10, 2020 at 10:00:08PM -0500, Edgar Pettijohn wrote:
> Saw this in the maillog today. Any ideas what they are trying to do?
> 
>  249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 3 
> 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid 
> command: Must issue an AUTH command first"

My guess is that they're trying to exploit CVE-2020-7247. Search the
advisory text for that command:

https://www.qualys.com/2020/01/28/cve-2020-7247/lpe-rce-opensmtpd.txt

Best,
Ryan



mail log oddity

2020-06-10 Thread Edgar Pettijohn
Saw this in the maillog today. Any ideas what they are trying to do?

 249c054a86af9328 smtp failed-command command="MAIL FROM: <;for i in 0 1 2 3 4 
5 6 7 8 9 a b c d;do read r;done;sh;exit 0;>" result="530 5.5.1 Invalid 
command: Must issue an AUTH command first"

Edgar