Shellshock attacks mail servers

The latest vector for exploits of the Shellshock bug in the Bash shell is SMTP, where the mail headers themselves trigger the exploit.

Read this

Shellshock: How to protect your Unix, Linux and Mac servers Shellshock: How to protect your Unix, Linux and Mac servers The Unix/Linux Bash security hole can be deadly to your servers. Here's what you need to worry about, how to see if you can be attacked, and what to do if your shields are down.

Reports are emerging that attacks are being performed against SMTP servers using the Shellshock bug. The campaign seeks to create an IRC botnet for DDOS attacks and other purposes.

Shellshock emerged about a month ago  and immediately was recognized widely as a serious problem.

The bug had been in the Bash shell for 20 years and was widely deployed in a configuration that made it easy to exploit.

Many of those vulnerable configurations are on forgotten systems, long considered stable and which may be difficult to patch.

This SMTP vector is a good example of the problem, as mail servers are often left untouched for long periods.

This is an example of a mail header to exploit the bug:


An image of full message headers is included at the bottom of this story. You can also find a copy of full headers of a such a message on Pastebin, courtesy of Benjamin Sonntag, the co-founder of citizen advocacy group La Quadrature du Net. The Pastebin example also shows the plainly-illegitimate message receiving a low Spamassassin score of 2.616, giving it the A-OK for delivery. The payload of the attack is an IRC perl bot with simple DDoS commands and the ability to retrieve and execute further code.

Writing about the attacks, CSO says they have found one the IRC servers used to host the bots. On October 24 it had 160 compromised servers connected to it.