Threat Level: green Handler on Duty: Kevin Liston

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Shellshock via SMTP

Published: 2014-10-24
Last Updated: 2014-10-24 19:05:00 UTC
by Kevin Liston (Version: 1)
0 comment(s)

I've received several reports of what appears to be shellshock exploit attempts via SMTP.  The sources so far have all be webhosting providers, so I'm assuming these are compromised systems.  The emails headers look something like this (thanks Justin for the anonymized headers, no thanks to Outlook for helpfully trying to make the links live):

The payload is an IRC perl bot with simple DDoS commands and the ability to fetch and execute further code.


Keywords: shellshock
0 comment(s)

Are you receiving Empty or "Hi" emails?

Published: 2014-10-24
Last Updated: 2014-10-24 14:10:02 UTC
by Kevin Liston (Version: 1)
7 comment(s)

    I wanted to perform a little unscientific information gathering, I'm working with a small group who think they're being specifically targeted by these, while I think it's more widespread and opportunitistic.  If you've recently received these no content probe emails, or a simple "Hi" message, please send a simple comment below in this format:

  • Industry
  • Order of magnitued in size (e.g. <10, <100, <1000)
  • Sending domain

    Feel free to use our comment page to add extra analysis comments here:

7 comment(s)
ISC StormCast for Friday, October 24th 2014

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Digest: 23 OCT 2014
published 1 day ago by Russ McRee (0 comments)

telnetd rulez: Cisco Ironport WSA Telnetd Remote Code Execution Vulnerability
published 1 day ago by Russ McRee (1 comment)

CSAM Month of False Positives: Ghosts in the Pentest Report
published 3 days ago by Rob VandenBrink (2 comments)

Apple Multiple Security Updates
published 3 days ago by Guy (0 comments)

Microsoft MSRT October Update
published 5 days ago by Guy (0 comments)

Apple Updates (not just Yosemite)
published 4 decades ago by Dr. J. (2 comments)

View All Diaries →

Latest Discussions

SSH Bruteforce Uptick Anyone?
created 3 weeks ago by Philip (0 replies)

XSS vulnerability in opencms v9.0.1 workplace
created 1 month ago by Murali (0 replies)

RSS feeds broken in Sage
created 1 month ago by Madmanguruman (0 replies)

Brown Breach.. . UPS
created 1 month ago by ICI2Eye (0 replies)

So, how dead is antivirus exactly?
created 2 months ago by Safensoft (4 replies)

View All Forums →

Latest News

View All News →