What Does A Shellshock Attack On Your Website Look Like?

You may have heard about Shellshock, the recently discovered vulnerability in the widely used Unix / Linux shell called “bash”.  If you have any servers running a Unix/Linux distribution on your network there is a high likelihood you are exposed to the vulnerability.  The software bug dates back to 1994 (version 1.1.4) and persists through version 4.3. This vulnerability can be found on web servers, application servers, databases and network appliances.  There are many of us in the security industry concerned that Shellshock will have major impacts on the Internet of Things, which includes millions of consumer devices that are based on Linux operating systems.  Bash has been ported to numerous platforms including Mac OSX, Windows, and Android.

We have seen numerous IP addresses scanning the web for vulnerable hosts.  The attackers appear to be manipulating a standard field in the incoming request called “User Agent” which typically identifies the type of browser used to request the website.  In the case below, the attacker is injecting bash commands in the field in the hopes of exploiting the system and tricking bash into writing a temporary script that can then be remotely executed.  The screen shot below shows this Shellshock attack being blocked by our web application firewall.

Shellshock attack in User agent field.

This is just one example of the Shellshock vulnerability being exploited in the wild.  Many researchers believe we are just seeing the initial adoption of this attack method in popular black market malware toolkits.  We have investigated all of the products we leverage in our Managed Security Services and have verified that none of these tools are exposed.  Have you looked at your firewalls and other public facing services to verify they aren’t Shellshocked?  Contact us if you are interested in a review of your current infrastructure by our analysts.