shellshock probing
Cole Tierney
cole.putnamhill at comcast.net
Wed Apr 1 20:25:42 UTC 2015
Hello,
I'm seeing lots of shellshock probing in my access logs. My server's not vulnerable, but my logs are filling up with 404s. The requests are for random cgi scripts. The referer and user_agents are the same and always start with () { :; }; followed by curl or wget to a remote perl script piped to perl locally. I'd like to return 444 for these.
I'm currently using a couple of maps to set a variable $drop. What would be the most efficient way to test for the initial "() { :; };" at beginning of these request headers? This is what I have so far:
map $http_referer $drop_referer {
default 0;
"~^\s*\(\s*\)\s*\{[^\}]*\}\s*" 1;
}
map $http_user_agent $drop {
default $drop_referer;
"~^\s*\(\s*\)\s*\{[^\}]*\}\s*" 1;
}
Or is there a better method to block these?
--
Cole
More information about the nginx
mailing list