Shellshock

Security

"Shellshock" is the name of a range of 6 vulnerabilities with the BASH command shell in linux. Details about the vulnerability can be found here (wikipedia).


When running the security Onion (see previous post), I noticed that people were trying various files to find a vulnerability on my webserver. Being the curious type, this prompted me to think, what is being queried and can I log it, following on to what would the malware do if I respond to it, if there is a pattern with the filename.


In order to try to find out more about this, I modified my 404 page (a php script) to include a file, which will record the information for us.



Since I already have a 404 error page, I copied the following in to a new file and included it in my existing one.


<?php

/**********************************************
404 inc Page for Collecting exploit info
and log it. Optionally, respond to
exploit, to see what happens next...
Can be included in a normal 404 Page
Author:
Tim Wilkes - php-systems.com - 2015/03/02
**********************************************/

$LOGFILE="/var/tmp/httpd-404.log";
date_default_timezone_set("UTC");

// Log the 404 to a text file.
// You could log it to a database, just be very, very careful...

if (is_writable($LOGFILE)) {

$fp = @fopen($LOGFILE,"a");
if ($fp) {
fwrite ($fp, "USERAGENT:" . $_SERVER['HTTP_USER_AGENT']);
fwrite ($fp, ":PAGE:" . $_SERVER['REQUEST_URI']);
fwrite ($fp, ":HOST:" . $_SERVER['HTTP_HOST']);
fwrite ($fp, ":TIME(UTC):" . time());
fwrite ($fp, ":REMOTEHOST:" . $_SERVER['REMOTE_ADDR']);
fwrite ($fp, "\n");
fclose($fp);
} else {
echo "\n";
}
}

// Respond if we see a page we know and respond....
if ($_SERVER['REQUEST_URI'] == "//") {
echo "ad43fd99987a8f6a648abe05095bf52c";
} elseif ($_SERVER['REQUEST_URI'] == "/cgi-bin/test-cgi") {
echo "ad43fd99987a8f6a648abe05095bf52c";
} elseif ($_SERVER['REQUEST_URI'] == "/cgi-sys/realsignup.cgi") {
echo "ad43fd99987a8f6a648abe05095bf52c";
}
?>





The value of "ad43fd99987a8f6a648abe05095bf52c" is actually the MD5 sum of 2014. This is what the bot is attempting to get from my server, so I'm just making it thing it's got it. This will also log the requests as they come in as well.








This entry was posted by Tim Wilkes on Monday, March 2. 2015 at 12:04. and is filed under Security. You can leave a response, or trackback from your own blog. All new comments are subject to moderation before being displayed.

Comments

Display comments as (Linear | Threaded)

  1. Sean McLinden says:
    #1 2015-04-28 15:22 (Reply)

    I'd be curious to know the IP of the attacker (offline, of course), as I have been following a similar threat.

  2. asdokodskad says:
    #2 2016-12-05 23:10 (Reply)

    Hi, to be honest I found this page because of the md5sum of 2014 found also in logs. ;-)

    Thanks for the head ups!

    Did you investigate that bot anyway?

    Cheers


Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
To leave a comment you must approve it via e-mail, which will be sent to your address after submission.
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.
You can use [geshi lang=lang_name [,ln={y|n}]][/geshi] tags to embed source code snippets.

Submitted comments will be subject to moderation before being displayed.