shellshock probing

Cole Tierney cole.putnamhill at
Wed Apr 1 20:25:42 UTC 2015


I'm seeing lots of shellshock probing in my access logs. My server's not vulnerable, but my logs are filling up with 404s. The requests are for random cgi scripts. The referer and user_agents are the same and always start with () { :; }; followed by curl or wget to a remote perl script piped to perl locally. I'd like to return 444 for these.

I'm currently using a couple of maps to set a variable $drop. What would be the most efficient way to test for the initial "() { :; };" at beginning of these request headers? This is what I have so far:

    map $http_referer $drop_referer {
        default 0;
        "~^\s*\(\s*\)\s*\{[^\}]*\}\s*"  1;
    map $http_user_agent $drop {
        default $drop_referer;
        "~^\s*\(\s*\)\s*\{[^\}]*\}\s*"  1;

Or is there a better method to block these?


More information about the nginx mailing list