Koozali.org: home of the SME Server

Contribs.org Forums => General Discussion => Topic started by: holck on November 17, 2014, 10:55:06 PM

Title: ASWHDS_SCAN? Strange httpd error log entries
Post by: holck on November 17, 2014, 10:55:06 PM

Today my httpd error_log shows lots of errors from a local client:

Code: [Select]

ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:38 +0100] "GET /cgi-bin/at3/out.cgi HTTP/1.1" 404 217 "-" "() { ignored; };  echo Constent-Type: text/html; echo ; echo ASWHDS_SCAN Infected ;"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:38 +0100] "GET /cgi-bin/atc/out.cgi HTTP/1.1" 404 217 "-" "() { ignored; };  echo Constent-Type: text/html; echo ; echo ASWHDS_SCAN Infected ;"
etc. etc.

Notice the spelling error in "Constent-Type". Anyone has any idea what's going on?

Title: Re: ASWHDS_SCAN? Strange httpd error log entries
Post by: Stefano on November 17, 2014, 11:21:19 PM

no, but I would disconnect that client from lan and use a good antivirus / anti rootkit / malware / $whatever on it

Title: Re: ASWHDS_SCAN? Strange httpd error log entries
Post by: guest22 on November 18, 2014, 12:55:47 AM

I agree with Stefano, smells fishy that specific client...

Title: Re: ASWHDS_SCAN? Strange httpd error log entries
Post by: CharlieBrady on November 18, 2014, 03:14:01 AM

Something is looking for specific CGI scripts which can exploit the ShellShock bash vulnerability. The 404 status shows that those scripts weren't found.

Title: Re: ASWHDS_SCAN? Strange httpd error log entries
Post by: holck on November 18, 2014, 08:40:45 PM

Thank you for your help and suggestions. I will post here if I find out more about this specific kind of attack / malware.

Title: Re: ASWHDS_SCAN? Strange httpd error log entries
Post by: holck on November 18, 2014, 10:01:01 PM

Looking a bit more into the httpd log files, I noticed that the client's scan for exploitable files starts with this

Code: [Select]

ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:37 +0100] "GET / HTTP/1.1" 200 5646 "-" "avast! Antivirus"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:37 +0100] "GET /rom-0 HTTP/1.1" 404 203 "-" "avast! Antivirus"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:37 +0100] "GET / HTTP/1.1" 200 5646 "-" "avast! Antivirus"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:38 +0100] "GET /rom-0 HTTP/1.1" 404 203 "-" "avast! Antivirus"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:38 +0100] "GET /cgi-bin/a2/out.cgi HTTP/1.1" 404 216 "-" "() { ignored; };  echo Constent-Type: text/html; echo ; echo ASWHDS_SCAN Infected ;"
ibsgaarden.dk 192.168.10.115 - - [17/Nov/2014:13:08:38 +0100] "GET /cgi-bin/ajaxmail HTTP/1.1" 404 214 "-" "() { ignored; };  echo Constent-Type: text/html; echo ; echo ASWHDS_SCAN Infected ;"

Then follows lots of similar attempts, all with the browser identification string "() { ignored; ..."

So maybe it's the Avast antivirus program making the scan? On their web site they announce a "Home network scanner". But then again, why are the browser identifications so strange after the first 4 attempts?