Topic: ASWHDS_SCAN? Strange httpd error log entries

[holck]

Today my httpd error_log shows lots of errors from a local client:

Code: [Select]

ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:38 +0100] "GET /cgi-bin/at3/out.cgi HTTP/1.1" 404 217 "-" "() { ignored; };  echo Constent-Type: text/html; echo ; echo ASWHDS_SCAN Infected ;"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:38 +0100] "GET /cgi-bin/atc/out.cgi HTTP/1.1" 404 217 "-" "() { ignored; };  echo Constent-Type: text/html; echo ; echo ASWHDS_SCAN Infected ;"
etc. etc.

Notice the spelling error in "Constent-Type". Anyone has any idea what's going on?

[Stefano]

no, but I would disconnect that client from lan and use a good antivirus / anti rootkit / malware / $whatever on it

[guest22]

I agree with Stefano, smells fishy that specific client...

[CharlieBrady]

Something is looking for specific CGI scripts which can exploit the ShellShock bash vulnerability. The 404 status shows that those scripts weren't found.

[holck]

Thank you for your help and suggestions. I will post here if I find out more about this specific kind of attack / malware.

[holck]

Looking a bit more into the httpd log files, I noticed that the client's scan for exploitable files starts with this

Code: [Select]

ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:37 +0100] "GET / HTTP/1.1" 200 5646 "-" "avast! Antivirus"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:37 +0100] "GET /rom-0 HTTP/1.1" 404 203 "-" "avast! Antivirus"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:37 +0100] "GET / HTTP/1.1" 200 5646 "-" "avast! Antivirus"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:38 +0100] "GET /rom-0 HTTP/1.1" 404 203 "-" "avast! Antivirus"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:38 +0100] "GET /cgi-bin/a2/out.cgi HTTP/1.1" 404 216 "-" "() { ignored; };  echo Constent-Type: text/html; echo ; echo ASWHDS_SCAN Infected ;"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:38 +0100] "GET /cgi-bin/ajaxmail HTTP/1.1" 404 214 "-" "() { ignored; };  echo Constent-Type: text/html; echo ; echo ASWHDS_SCAN Infected ;"

Then follows lots of similar attempts, all with the browser identification string "() { ignored; ..."

So maybe it's the Avast antivirus program making the scan? On their web site they announce a "Home network scanner". But then again, why are the browser identifications so strange after the first 4 attempts?