Welcome! Log In Create A New Profile

Advanced

shellshock probing

Cole Tierney
April 01, 2015 04:26PM
Hello,

I'm seeing lots of shellshock probing in my access logs. My server's not vulnerable, but my logs are filling up with 404s. The requests are for random cgi scripts. The referer and user_agents are the same and always start with () { :; }; followed by curl or wget to a remote perl script piped to perl locally. I'd like to return 444 for these.

I'm currently using a couple of maps to set a variable $drop. What would be the most efficient way to test for the initial "() { :; };" at beginning of these request headers? This is what I have so far:

map $http_referer $drop_referer {
default 0;
"~^\s*\(\s*\)\s*\{[^\}]*\}\s*" 1;
}
map $http_user_agent $drop {
default $drop_referer;
"~^\s*\(\s*\)\s*\{[^\}]*\}\s*" 1;
}

Or is there a better method to block these?

--
Cole

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

2 maps for one 1 variable?

Cole Tierney April 01, 2015 03:08PM

Re: 2 maps for one 1 variable?

GreenGecko April 01, 2015 03:24PM

Re: 2 maps for one 1 variable?

Cole Tierney April 01, 2015 04:04PM

shellshock probing

Cole Tierney April 01, 2015 04:26PM

Re: shellshock probing

mex April 01, 2015 04:50PM

Re: shellshock probing

Cole Tierney April 01, 2015 05:08PM

Re: shellshock probing

mex April 01, 2015 05:17PM

Re: shellshock probing

itpp2012 April 02, 2015 07:21AM

Re: shellshock probing

Cole Tierney April 02, 2015 09:34AM

Re: shellshock probing

B.R. April 02, 2015 10:50AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 101
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready