0

Someone, today, appears to have tried to attack my VPS. I checked my logs and saw this:

54.251.83.67 - - [26/Sep/2014:17:07:02 -0400] "GET / HTTP/1.1" 200 1437 "-" "() { :;}; /bin/bash -c \"echo testing9123123\"; /bin/uname -a"

Am I vulnerable? If not, how could I tell if I was? I updated to the latest update earlier before the above happened and did a test which came back as an error.

Chris Burton
  • 103
  • 3

1 Answers1

1

You can't tell from that log entry if you're vulnerable or not. If you're not vulnerable, there may be a corresponding entry in Apache's error log with lines similar to

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

However, the error message will only show up if your site's root webpage can be used as an attack vector. If you're serving a static page, or a dynamic page that doesn't invoke Bash, there will be no error message.

Basically, the best evidence that you're not vulnerable is that you updated before the probe attempt took place.

Mark
  • 34,390
  • 9
  • 85
  • 134
  • Thanks! The reason I asked is because after I updated I was trying to install some software (HHVM) and now basic commands are not working. I just wanted to make sure I didn't override or lose anything security wise. – Chris Burton Sep 26 '14 at 21:26