On Tue, Mar 15, 2016 at 7:07 AM, Johnny InfoSec <[email protected]> wrote: > Thanks Dan, > > As far as the log portion goes; can you make any sense of this? These are > from other shellshock exploit attempt alerts. What exactly is going on here? > > 20:22:37.287 -0500 191.101.6.217 "-" POST "-" "-" > /cgi-sys/defaultwebpage.cgi () { _; OpenVAS; } >_[$($())] { echo > Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; > export PATH; id; > > 2016-03-14 20:22:40.566 -0500 191.101.6.217 "-" GET "-" "-" > /cgi-sys/FormMail-clone.cgi () { OpenVAS:; }; echo Content-Type: text/plain; > echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; id; >
It looks like OpenVAS (a vulnerability scanner) is trying to execute the `id` command through either defaultwebpage.cgi or FormMail-clone.cgi. the "PATH=/usr/bin:/usr/local/bin:/bin; export PATH; id" bit sets the path for the shell (if it's shellshock I guess they expect bash to be the shell), and executes the id command. I believe the attempts are coming from 191.101.6.217. The first is attempting an HTTP POST, the second an HTTP GET. > I really appreciate your help. This is all new to me. > > J~ > > > On Thursday, March 10, 2016 at 4:36:09 AM UTC-6, dan (ddpbsd) wrote: >> >> >> On Mar 10, 2016 5:32 AM, "Johnny InfoSec" <[email protected]> wrote: >> > >> > Greetings, >> > >> > As a new OSSEC user. I have found some of the alerts difficult to make >> > sense of. Is there any documentation (or decoder ring :-)) that helps with >> > this? >> > >> > Trying to make sense of some of the different sections in the below >> > alert: >> > >> > OSSEC HIDS Notification. >> > >> >> This is the subject. >> >> > 2016 Mar 08 21:00:02 >> > >> > >> >> Timestamp >> >> > >> > Received From: .log >> > >> >> Where the log triggering the alert originated. >> >> > Rule: 100032 fired (level 13) -> "Shellshock Exploit Attempt" >> > >> >> The rule ID, level, and description. >> >> > Portion of the log(s): >> > >> > >> > >> > Mar 8 21:00:01 ??? WAF src= spt=13006 dst=??? dpt=443 actionTaken=CLOAK >> > attackDescription=UNRECOGNIZED_COOKIE attackDetails=[Cookie\="echo" >> > Service-created\="211 days back" Reason\="No valid encrypted pair"] >> > attackGroup=ATTACK_CATEGORY_SESSION_TAMPER attackId=29030 logType=WF >> > app=HTTPS request=.net/ requestMethod=GET rt=1457492380066 >> > userAgent="User-Agent: () { :;}; echo; echo "QPZVGMTHKAYNGZV" " referer=() >> > { :;}; echo; echo "QPZVGMTHKAYNGZV" >> > >> >> The log that triggered the alert. >> >> > >> > If someone could help me break this alert down (i.e. each section/label) >> > that would be much appreciated. >> > >> > >> > J~ >> > >> > -- >> > >> > --- >> > You received this message because you are subscribed to the Google >> > Groups "ossec-list" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > > --- > You received this message because you are subscribed to the Google Groups > "ossec-list" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
