[nsp-sec] srv5.su and some other interesting shellshocky stuff.

Scott A. McIntyre scott at howyagoin.net
Thu Apr 9 18:05:16 EDT 2015 

Hi,

I've noticed some interesting attempts to exploit Bash bugs this week.  
Seems that there's an ircd on 188.42.240.97 (6667, possibly other ports) 
which is where the Linux bot tries to connect.

SU1: ELF 64-bit LSB  executable, x86-64, version 1 (SYSV), dynamically 
linked (uses shared libs), for GNU/Linux 2.6.0, stripped
SU2: ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), 
dynamically linked (uses shared libs), for GNU/Linux 2.2.5, stripped

The inbound traffic sets a few http headers:

Cookie: () { :;} ;echo;/usr/bin/php -r %s
Referer: () { :;} ;echo;/usr/local/bin/php -r %s

And from there

Tries to insert itself into rc.conf or rc.local, and then begins outward 
scanning for:

/dana-na/auth/url_default/welcome.cgi
/cgi-bin/ICuGI/EST/blast_detail.cgi
/cgi-sys/entropysearch.cgi
/cgi-sys/defaultwebpage.cgi
/cgi-mod/index.cgi
/cgi-bin/test.cgi
/cgi-bin-sdb/printenv
/admin.cgi
/cgi-bin/bash
/cgi-bin/hello
/cgi-bin/helpme
/cgi-bin/info.sh
/cgi-bin/php5-cli?
/cgi-bin/php5?
/cgi-bin/test-cgi
/cgi-bin/test.sh
/cgi-sys/guestbook.cgi
/cgi-sys/php5?
/phppath/cgi_wrapper?
/phppath/php?
/tmUnblock.cgi
/cgi-bin/contact.cgi
/cgi-bin/defaultwebpage.cgi
/cgi-bin/env.cgi
/cgi-bin/forum.cgi
/cgi-bin/hello.cgi
/cgi-bin/index.cgi
/cgi-bin/login.cgi
/cgi-bin/main.cgi
/cgi-bin/meme.cgi
/cgi-bin/recent.cgi
/cgi-bin/sat-ir-web.pl
/cgi-bin/signon.cgi
/cgi-bin/test-cgi.pl
/cgi-bin/tools/tools.pl
/phppath/cgi_wrapper
/phppath/php
/cgi-sys/FormMail-clone.cgi
/xul/
/gitweb/
/gitweb.cgi
/cgi-bin/
/cgi-bin/php4
/cgi-bin/php.cgi
/cgi-bin/firmwarecfg
/cgi-bin/%2f/admin.html
/cgi-bin/admin.html
/sys-cgi
/cgi-bin/tree.php
/cgi-bin/w3mman2html.cgi
/cgi-bin/status/status.cgi

The binaries themselves live at:

http:// srv5.su /SU2
http:// srv5.su /SU1


Top inbound sources today are:

16339   | 212.78.67.123    | VI-UK Virtual Internet (UK) Ltd,GB
16095   | 81.19.235.60     | JAYNET jay.net a/s,DK

Anyone else been digging into this one?

Just a mild curiosity thus far, but it showed up earlier this week at 
another domain, x5d.su.  Same attempted exploits, same binaries (but AS1 
and AS2)..

Thanks,

Scott A. McIntyre
Telstra AS1221

More information about the nsp-security mailing list