Embed Size (px)
Citation preview
DETECT AND PREVENT SHELLSHOCK ATTACKS WITH BITNINJAMany servers are still being involved in ShellShock vulnerability, providing a remote exploit opportunity for attackers.
WHAT DOES IT MEAN?If your server wasn’t patched against the ShellShock bash bug that was discovered recently, then attackers can easily get root access over it through a special HTTP request.
Recently, whole botnets started expanding by the exploitation of this vulnerability. The best defense for fending off ShellShock attacks is updating the bash program and patching the bug. In addition, the research of our team has found that so far an average 9 out of 10 ShellShock attacks have been blocked by BitNinja without the ShellShock filter.
But SenseLog module is already available, so it can grant immediate defense against ShellShock attacks by the analysis of log files.
HAVE YOU PERCEIVED SHELLSHOCK ATTEMPTS LATELY?
You can easily check by issuing this command:
cat /var/log/apache2/access.log | grep '() { :;};'
(in the case of apache web server default log placement)
Here you can see an example from one of our webservers. It is a botnet, trying to exploit the ShellShock vulnerability from several different IP addresses:
WHAT DO THEY HAVE IN COMMON?
http://88.150.140.66/mid is a botnet controller program, written in Pearl.
3
This server provides the control for the botnet and this is where cancellation of the infectious perl robot file starts from.
2
The 88.150.140.66 C&C (Command and Control) server.
1
WHAT IS IT FOR?• waiting for commands through irc• complete shell run• tcp flood• udp flood• running optional HTTP requests (further expansion) Protect your server from similar attacks!
SETTING UP IS JUST 3 SIMPLE STEPS
• Fill in the registration form to Sign up• Activate your account in the confirmation mail• Install your BitNinja to your server in 5 minutes with your favorite package manager (yum, apt-get)
That’s it! It only takes a few minutes and your servers are safe!
