Shellshock

"Shellshock" is the name of a range of 6 vulnerabilities with the BASH command shell in linux. Details about the vulnerability can be found here (wikipedia).
When running the security Onion (see previous post), I noticed that people were trying various files to find a vulnerability on my webserver. Being the curious type, this prompted me to think, what is being queried and can I log it, following on to what would the malware do if I respond to it, if there is a pattern with the filename.
In order to try to find out more about this, I modified my 404 page (a php script) to include a file, which will record the information for us.
<?php
/**********************************************
404 inc Page for Collecting exploit info
and log it. Optionally, respond to
exploit, to see what happens next...
Can be included in a normal 404 Page
Author:
Tim Wilkes - php-systems.com - 2015/03/02
**********************************************/
$LOGFILE="/var/tmp/httpd-404.log";
date_default_timezone_set("UTC");
// Log the 404 to a text file.
// You could log it to a database, just be very, very careful...
if (is_writable($LOGFILE)) {
$fp = @fopen($LOGFILE,"a");
if ($fp) {
fwrite ($fp, "USERAGENT:" . $_SERVER['HTTP_USER_AGENT']);
fwrite ($fp, ":PAGE:" . $_SERVER['REQUEST_URI']);
fwrite ($fp, ":HOST:" . $_SERVER['HTTP_HOST']);
fwrite ($fp, ":TIME(UTC):" . time());
fwrite ($fp, ":REMOTEHOST:" . $_SERVER['REMOTE_ADDR']);
fwrite ($fp, "\n");
fclose($fp);
} else {
echo "\n";
}
}
// Respond if we see a page we know and respond....
if ($_SERVER['REQUEST_URI'] == "//") {
echo "ad43fd99987a8f6a648abe05095bf52c";
} elseif ($_SERVER['REQUEST_URI'] == "/cgi-bin/test-cgi") {
echo "ad43fd99987a8f6a648abe05095bf52c";
} elseif ($_SERVER['REQUEST_URI'] == "/cgi-sys/realsignup.cgi") {
echo "ad43fd99987a8f6a648abe05095bf52c";
}
?>
The value of "ad43fd99987a8f6a648abe05095bf52c" is actually the MD5 sum of 2014. This is what the bot is attempting to get from my server, so I'm just making it thing it's got it. This will also log the requests as they come in as well.
I'd be curious to know the IP of the attacker (offline, of course), as I have been following a similar threat.
Hi, to be honest I found this page because of the md5sum of 2014 found also in logs.
Thanks for the head ups!
Did you investigate that bot anyway?
Cheers