We’ve seen the articles about how to find out if you’re vulnerable to the bash shellshock bug, we’ve also seen the articles on how to patch your system. What I’ll show you is how to find out if people are testing your system.

First, ssh into your server and find your http access logs.

Some common places are:
cPanel: /usr/local/apache/domlogs/
Debian/Apache: /var/log/apache2/
CentOS: /var/log/httpd/

Once you find them, you can cat them, grepping for this pattern:

cat access_log |grep "{ :;};"

You can make it prettier by using awk…
This will show me the IP addresses that have tried it..

cat gnulinux.ro |grep "{ :;};"|awk '{print $1}'|uniq

(print $1 means print the first column. Your access log might have the IP in a different column.. try $3 if $1 doesn’t work)

This will show me how many times each IP hit me:

cat gnulinux.ro |grep "{ :;};"|awk '{print $1}'|uniq -c

Then, i can take it further by using csf to block anyone who’s tried it:

for x in $(cat gnulinux.ro |grep "{ :;};"|awk '{print $1}'|uniq);do csf -d $x;done

  • What is your reaction?
  • powered by Verysign
  • like gnulinux.ro
    Like
  • unmoved gnulinux.ro
    Unmoved
  • amused gnulinux.ro
    Amused
  • excited gnulinux.ro
    Excited
  • angry gnulinux.ro
    Angry
  • sad gnulinux.ro
    Sad
TENDINTA  
Chriss gnulinux.ro
Chriss
chriss@system ~ $ hwinfo --short
48 articole
In context
Bash ShellShock bug – Find out if you’ve been “tested” gnulinux.ro

1 Tutorial Bash ShellShock bug – Find out if you’ve been “tested”
  • Comment
  • powered by Verysign

Comments

Nici un comentariu inca. Fii primul!