Shellshock attacks mail servers
Reports are emerging that attacks are being performed against SMTP servers using the Shellshock bug. The campaign seeks to create an IRC botnet for DDOS attacks and other purposes.
Shellshock emerged about a month ago and immediately was recognized widely as a serious problem.
The bug had been in the Bash shell for 20 years and was widely deployed in a configuration that made it easy to exploit.
Many of those vulnerable configurations are on forgotten systems, long considered stable and which may be difficult to patch.
This SMTP vector is a good example of the problem, as mail servers are often left untouched for long periods.
This is an example of a mail header to exploit the bug:
An image of full message headers is included at the bottom of this story. You can also find a copy of full headers of a such a message on Pastebin, courtesy of Benjamin Sonntag, the co-founder of citizen advocacy group La Quadrature du Net. The Pastebin example also shows the plainly-illegitimate message receiving a low Spamassassin score of 2.616, giving it the A-OK for delivery. The payload of the attack is an IRC perl bot with simple DDoS commands and the ability to retrieve and execute further code.
Writing about the attacks, CSO says they have found one the IRC servers used to host the bots. On October 24 it had 160 compromised servers connected to it.