iamtheky Posted September 26, 2014 Posted September 26, 2014 found this perl command to loop through environment variables looking for those that contain code after function declaration. anything better? $ perl -e 'for (keys %ENV) { delete $ENV{$_} if $ENV{$_} =~ /};.+/ }' at the bottom of this article http://perltricks.com/article/115/2014/9/26/Shellshock-and-Perl ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
czardas Posted September 27, 2014 Posted September 27, 2014 Good find. I guess we'll see what happens in the coming days. operator64 ArrayWorkshop
iamtheky Posted September 27, 2014 Author Posted September 27, 2014 So this isn't a fix, but you can search for evildoers in your apache access.log with the regex "(?s*_*s*)?s*{|cgi" It will return a lot of false positives for the cgi, but that's better than false negatives. Just pipe tail -f into grep -E and watch for anything untoward happening. from here: http://www.reddit.com/r/netsec/comments/2hehgk/cve20147169_bash_fix_incomplete_still_exploitable/ i built a splunk report with it, so far returned a bunch of awk and a few rpm commands that are all false positives. ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__)
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now