iamtheky Posted September 26, 2014 Share Posted September 26, 2014 found this perl command to loop through environment variables looking for those that contain code after function declaration. anything better? $ perl -e 'for (keys %ENV) { delete $ENV{$_} if $ENV{$_} =~ /};.+/ }' at the bottom of this article http://perltricks.com/article/115/2014/9/26/Shellshock-and-Perl ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
czardas Posted September 27, 2014 Share Posted September 27, 2014 Good find. I guess we'll see what happens in the coming days. operator64 ArrayWorkshop Link to comment Share on other sites More sharing options...
iamtheky Posted September 27, 2014 Author Share Posted September 27, 2014 So this isn't a fix, but you can search for evildoers in your apache access.log with the regex "(?s*_*s*)?s*{|cgi" It will return a lot of false positives for the cgi, but that's better than false negatives. Just pipe tail -f into grep -E and watch for anything untoward happening. from here: http://www.reddit.com/r/netsec/comments/2hehgk/cve20147169_bash_fix_incomplete_still_exploitable/ i built a splunk report with it, so far returned a bunch of awk and a few rpm commands that are all false positives. ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now