Bonus bash thoughts but no change on my view,

I was scanned run against apache with.

cat access_log |grep “{ :;};”

Grep from here [not this blog] The scan looks like

89.207.135.125 – – [25/Sep/2014:10:59:54 +0100] “GET /cgi-sys/defaultwebpage.cgi HTTP/1.0” 403 543 “-” “() { :;}; /bin/ping -c 1 198.101.206.138”

My view is the same, as

  1. ping is userland not an special tool
  2. defaultwebpage.cgi would need to be created and i dont have one
  3. its a 403 code so you need a user to make the file, change its permissions to the apache group …
  4. 198.101.206.138 is a rackspace ‘cloud’ server
  5. 89.207.135.125 is netherlands based
  6. “admin” commands like ifdown* still need privileges here

bash

Its interesting to see but needs work.

* old so ip would be ‘modern’

One response

  1. Pingback: One week of bash exploits | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s