I found this code, followed by several bash commands downloading and running a payload from the web, in the referer field in my apache error logs. The attack appears to work by converting a command name into a funtion name for the empty function body, (){ :; }.
This is clearly attempting to perform a bash command injection. What servers, configurations, or modules might be vulnerable to this attack?
This is targeting the Shellshock bug (which even has its own tag):
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.
Affected are any systems which run a vulnerable Bash version and a way for an attacker to inject an environment variable. The most well known case is Apache which automatically sets certain environment variables from the request. You don't need a Bash CGI. See this article about Shell Shock Exploitation Vectors for an extensive list.
In order to defend against this attack you must update your Bash. To test if your Bash version is vulnerable, you may execute the following line from @EliahKagan's great answer:
x='() { :;}; echo VULNERABLE' bash -c :
See Everything you need to know about the Shellshock Bash bug or the corresponding CVE for more information.
It looks like a remote command execution payload. Remote command execution vulnerability is used for running system commands with the same privillage as the web server user does. It leads to total compromising of the server. Look at owasp article about this for more info.
