2014-11-19-2029Z


here is the script, shellbot, that was uploaded to my server using vulnerabilities in my Bash CGI scripts, mostly failure to sanitize REQUEST_URI when interpolating it. posting it here for reference, since searching for various words in it doesn't bring up any Google hits on the actual source.

from my logs, I gather they backticked wget calls into the request, which fetched the above script into /tmp/bbr, then backticked the call to /tmp/bbr. that's all it took.

and all it hopefully takes to fix it is to use Bash's pattern substitution: ${REQUEST_URI//[^A-Za-z0-9\/.-]/} instead of $REQUEST_URI.

Back to blog or home page

last updated 2014-11-19 15:38:32. served from tektonic.jcomeau.com