Attack of the Day

The Cookie Madness

There are a fair number of ShellShock type attacks that come through here every day..  Below is a short example of one.  I have no idea what a tilimilitriam might be, but I would hazard a guess and say it’s doesn’t appear on any page that I’ve crafted (with one exception.. dang).

Being such a unique word makes it a great choice for a return value to a script – keeps the false positives down.  I’m working under the assumption that a script is generating all these requests and is waiting to see tilimilitriam show up in the response, at which point he knows he has a victim.  At that point, a real attack could be launched.  I kind of want to embed tilimilitriam on every page I own to see if the infection part of the attack is automated, as well.

GET /cgi-bin/php5.cgi HTTP/1.1
 User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
 Accept: */*
 Cookie: () { test;};echo \\\"Content-type: text/plain\\\"; echo; echo; echo tilimilitriam

Leave a Reply

Your email address will not be published. Required fields are marked *