On 26/09/2014 2:40 AM, Trevor Cordes wrote:
On 2014-09-25 Gilbert E. Detillieux wrote:
I have another host, with some CGI scripts that have names of the form */cgi-bin/*.sh, and those URL's are seeing a lot of attempts (all failed as well). I guess they've got lists of potential target URL's to try, and anything ending in ".sh" is going to be irresistible!
For sure someone must have compiled existing web-server lists to rapidly exploit zero-day http vectors. I'm actually a bit surprised that a) they did that and b) my measly SMB site is on the list.
...
Besides CGI which by its nature must pass the ENV, it looks like the number of http-vector cases may be limited.
There's a good overview video from SANS on the subject...
https://www.youtube.com/watch?v=W7GaVyzkCs0
It explains a quick way to find potentially vulnerable scripts, using a Google search...
filetype:sh inurl:cgi-bin site:example.com
... which, of course, is exactly what the script kiddies are now doing (minus the site: tag) to target potential bash scripts.
It also briefly mentions other potentially exploitable vectors, such as ssh running restricted shells/scripts, and DHCP (not easily exploited, but can get you root access).