How to scan access_log for Shellshock attempts via httpd

In the previous post, we announced the discovery of the remote bash vulnerability which has been dubbed “Shellshock” throughout the security and Linux communities.

As you may know, bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.

We previously reported that one of the major attack vectors that have been identified in this case was HTTP requests and CGI scripts. Nearly a week later, we’re seeing (on our own servers) attempts at exploiting this vulnerability via apache/httpd, and here’s how you can check your own access_logs to see if you’ve been targeted.

NOTE: IF YOU ARE NOT UPDATED/PATCHED YOUR BASH YET, YOU SHOULD SKIP THIS POST AND DO THIS IMMEDIATELY.

Inside a directory containing your access_log file(s):

find . \( -name '*access_log*' -o -name '*access_log*' \) -execdir \
grep --color=always -HE '\(.*\).*\{.*\}.*"' {} +

Example output showing attempts to exploit via httpd:

./access_log:37.128.189.183 – – [02/Oct/2014:14:39:14 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0” 403 228
./access_log:37.128.189.183 – – [02/Oct/2014:14:39:14 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0” 403 228
./access_log:95.211.131.148 – – [02/Oct/2014:14:39:22 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0” 403 228
./access_log:95.211.131.148 – – [02/Oct/2014:14:39:22 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0” 403 228
./access_log:209.11.159.26 – – [02/Oct/2014:23:45:48 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0” 403 228
./access_log:209.11.159.26 – – [02/Oct/2014:23:45:48 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0” 403 228
./access_log:177.87.80.17 – – [03/Oct/2014:03:00:20 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0” 403 228
./access_log:177.87.80.17 – – [03/Oct/2014:03:00:20 -0700] “GET /?x=() { :; }; echo Content-type:text/plain;echo;echo;echo M`expr 1330 + 7`H; HTTP/1.0” 403 228