Hello,

I'm seeing lots of shellshock probing in my access logs. My server's not vulnerable, but my logs are filling up with 404s. The requests are for random cgi scripts. The referer and user_agents are the same and always start with () { :; }; followed by curl or wget to a remote perl script piped to perl locally. I'd like to return 444 for these.

I'm currently using a couple of maps to set a variable $drop. What would be the most efficient way to test for the initial "() { :; };" at beginning of these request headers? This is what I have so far:

map $http_referer $drop_referer {
default 0;
"~^\s*\(\s*\)\s*\{[^\}]*\}\s*" 1;
}
map $http_user_agent $drop {
default $drop_referer;
"~^\s*\(\s*\)\s*\{[^\}]*\}\s*" 1;
}

Or is there a better method to block these?

--
Cole

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx