15

I found what looks like a possible attempted Shellshock attack targeting tmUnblock.cgi, and I'm trying to understand it.

I was checking through Apache access logs for a small webserver during the time period between the Shellshock bug becoming news and the server being patched, looking for suspicous entries.

It gets low traffic, so it's actually possible for me to read through the whole access log and spot unusual entries. These are mostly "white hat" scans such as Errata Security's "Shellshock Scan of the Internet", with the Shellshock attempts visible in the log entry through being present in the user agent.

One, however, looks like it might be a more serious attack attempt: 

72.229.125.183 - - [26/Sep/2014:18:16:48 -0400] "GET /" 400 464 "-" "-"
72.229.125.183 - - [26/Sep/2014:18:16:48 -0400] "GET /tmUnblock.cgi HTTP/1.1" 400 303 "-" "-"

There's about 4 of these in my logs, all from different IPs, all from after Shellshock was publicised. Their IPs all come from odd, unrelated sources that seem plausible for bots.

The first appears to be a scan (testing vulnerability?), then there's an attempt to target a cgi script. Unlike the white hat stuff like the Erratta Security scan, there's nothing giving away its purpose in the user agent (my understanding is that 'serious' Shellshock attacks will use headers that are not logged).

I've never heard of tmUnblock.cgi and it doesn't appear to exist on my server, so I'm mostly asking out of curiosity (I hope!). What is tmUnblock.cgi and is it something that could be targetted with a shellshock attack?

My own attempts to research tmUnblock.cgi ended in confusion. It seems associated with an exploitable bug in Linksys routers discovered in Feb 2014, which seems to be related to executing shell commands and seems to have been used to propagate worms in the past, but that's all I can find.

Community
  • 1
user56reinstatemonica8
  • 253
  • 1
  • 2
  • 8

3 Answers3

16

tmUnblock.cgi is a binary CGI executable in some Cisco/Linksys router firmwares that has multiple security holes that permit various attacks on the router. It is unrelated to the "shellshock" vulnerability.

Unless your "small webserver" is somehow running on a Cisco/Linksys router with stock firmware, the log entries are nothing to worry about.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • That's the impression I got. Seems odd that there seems to be suddenly several of these a day popping up shortly after Shellshock broke, when I've never seen any before. – user56reinstatemonica8 Sep 30 '14 at 12:49
4

About the cgi_list_example.txt of shellshock-scanner, the inclusion of tmUnblock.cgi in the list is maybe unrelated to shellshock. I made that list taking some CGIs from different places, some of them have been taken from my own logs as "possible vulnerable cgis" (just in case I test for them).

Others are from other posts/pocs I found out there. Probably some are really not related to shellshock.

Gryphus
  • 41
  • 1
3

the request probably originates from someone using https://github.com/gry/shellshock-scanner It is mentioned in the cig_list_example.txt there ^^ So, somehow it IS related to shellshock

leberknecht
  • 131
  • 2