Bash ShellShock bug – Find out if you’ve been “tested”

We’ve seen the articles about how to find out if you’re vulnerable to the bash shellshock bug, we’ve also seen the articles on how to patch your system. What I’ll show you is how to find out if people are testing your system.

First, ssh into your server and find your http access logs.

Some common places are:
cPanel: /usr/local/apache/domlogs/
Debian/Apache: /var/log/apache2/
CentOS: /var/log/httpd/

Once you find them, you can cat them, grepping for this pattern:

cat access_log |grep "{ :;};"

You can make it prettier by using awk…
This will show me the IP addresses that have tried it..

cat gnulinux.ro |grep "{ :;};"|awk '{print $1}'|uniq

(print $1 means print the first column. Your access log might have the IP in a different column.. try $3 if $1 doesn’t work)

This will show me how many times each IP hit me:

cat gnulinux.ro |grep "{ :;};"|awk '{print $1}'|uniq -c

Then, i can take it further by using csf to block anyone who’s tried it:

for x in $(cat gnulinux.ro |grep "{ :;};"|awk '{print $1}'|uniq);do csf -d $x;done