La noche de CrowdStrike ShellShock Scanner

CrowdStrike ShellShock Scanner” es uno de los (¿Cientos?) de scanners que intentan encontrar maquinas vulnerables el Bug del bash que salió hace algunas semanas.


Esta mañana veía las alertas de la noche y parece que alguien le ha estado dando caña a la pobre maquina.

Hoy tocaba ip’s de turquia … 78.187.22.176

Algunos de los logs…

78.187.22.176 – – [31/Oct/2014:05:19:58 +0100] “GET /cgi-bin/troops.cgi HTTP/1.1” 404 439 “() { (a)=>’ echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:57 +0100] “GET /cgi-bin/troops.cgi HTTP/1.1” 404 439 “() { :; }; echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:57 +0100] “GET /cgi-bin/traffic.cgi HTTP/1.1” 404 440 “() { (a)=>’ echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:57 +0100] “GET /cgi-bin/traffic.cgi HTTP/1.1” 404 440 “() { :; }; echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:57 +0100] “GET /cgi-bin/title.cgi HTTP/1.1” 404 439 “() { (a)=>’ echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:56 +0100] “GET /cgi-bin/title.cgi HTTP/1.1” 404 438 “() { :; }; echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:56 +0100] “GET /cgi-bin/tigvote.cgi HTTP/1.1” 404 440 “() { (a)=>’ echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:55 +0100] “GET /cgi-bin/tigvote.cgi HTTP/1.1” 404 440 “() { :; }; echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:55 +0100] “GET /cgi-bin/tidfinder.cgi HTTP/1.1” 404 442 “() { (a)=>’ echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:55 +0100] “GET /cgi-bin/tidfinder.cgi HTTP/1.1” 404 442 “() { :; }; echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:55 +0100] “GET /cgi-bin/testing_whatever HTTP/1.1” 404 445 “() { (a)=>’ echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”
78.187.22.176 – – [31/Oct/2014:05:19:54 +0100] “GET /cgi-bin/testing_whatever HTTP/1.1” 404 445 “() { :; }; echo -e \”\\r\\n\\r\\ncs69BEC691E4C95A4BA1BDDAC75867E577\”” “CrowdStrike ShellShock Scanner/1.0”

Y unos cuantos (miles) mas … Parece que el tio no tenia otra cosa mejor que hacer que generar 404’s a saco.

Comments are closed.