shellshock probing

Cole Tierney cole.putnamhill at comcast.net
Wed Apr 1 20:25:42 UTC 2015


Hello,

I'm seeing lots of shellshock probing in my access logs. My server's not vulnerable, but my logs are filling up with 404s. The requests are for random cgi scripts. The referer and user_agents are the same and always start with () { :; }; followed by curl or wget to a remote perl script piped to perl locally. I'd like to return 444 for these.

I'm currently using a couple of maps to set a variable $drop. What would be the most efficient way to test for the initial "() { :; };" at beginning of these request headers? This is what I have so far:

    map $http_referer $drop_referer {
        default 0;
        "~^\s*\(\s*\)\s*\{[^\}]*\}\s*"  1;
    }
    map $http_user_agent $drop {
        default $drop_referer;
        "~^\s*\(\s*\)\s*\{[^\}]*\}\s*"  1;
    }

Or is there a better method to block these?

--
Cole



More information about the nginx mailing list