Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Shellshock via SMTP InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Shellshock via SMTP

Published: 2014-10-24
Last Updated: 2014-10-24 19:05:00 UTC
by Kevin Liston (Version: 1)
0 comment(s)

I've received several reports of what appears to be shellshock exploit attempts via SMTP.  The sources so far have all be webhosting providers, so I'm assuming these are compromised systems.  The emails headers look something like this (thanks Justin for the anonymized headers, no thanks to Outlook for helpfully trying to make the links live):

The payload is an IRC perl bot with simple DDoS commands and the ability to fetch and execute further code.

 

Keywords: shellshock
0 comment(s)
Diary Archives