My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Everybody Loves Bash Scripts. Including Attackers.

Published: 2024-10-23. Last Updated: 2024-10-23 12:52:45 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Today our "First Seen" page displayed a number of simple URLs:

/wp-backup.sh
/submit.sh
/stage-deploy.sh
/scripts/driverenv.sh
/s3.sh
/run-deploy.sh
/passwords.sh
/m/index.php
/library.sh
/installer.sh
/envvars.sh
/driverenv.sh
/driver.sh
/docker/startup.sh
/develop.sh
/bucket.sh
/aws_cli.sh
/aws-env.sh

These URLs are not associated with a specific vulnerability. But they all have a couple of things in common:

  • Based on the .sh extension, they appear to be shell scripts
  • The name hints at scripts used to configure environment variables and other credentials.

Web applications often use environment variables to configure parameters like credentials. This isn't the most secure way of doing things, but it is often the most convenient and "secure enough" method. Storing credentials properly with tools like secret managers takes more work and planing. It also tends to be less portable between different systems. For a developer to use the same code on a development and production systems, environment variables are usually the easy choice.

In the past, I have written about scans for files holding environment variables, like ".env". But it looks like attackers got tired of these scans and are fanning out to other possible targets.

Some scripts (e.g. develop.sh or /docker/startups.sh) are often used to configure and start docker containers. 

The scans yesterday originated from two IP addresses:

179.43.191.19: The website at this IP address displays an open directory listing. But the files appear more related to an old, now broken website. 

37.60.229.171: Shodan shows only port 22 (ssh) listening. 

Both IPs have been in our logs for about a month, scanning for various web application issues. They both appear to be colocated (virtual?) servers.

Lesson learned: Check your web servers for exposed configuration files. Sadly, they too often end up in the document root. At the very least, ensure they are outside the document root and, if possible, look for better ways to store secrets.

 

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords:
0 comment(s)
My next class:
Network Monitoring and Threat Detection In-DepthSingaporeNov 18th - Nov 23rd 2024

Comments

Login here to join the discussion.


Top of page
Diary Archives