Bash – Collection of shell shock related logfile grep patterns

bash

There are many topics on the shellshock bash vulnerability, but there isn't any collection of patterns that we could "grep" for in either the webservers access.log files and in the normal logs.

There are already 6 CVE's opened related to shell shock, each with it's own uniqity.

There is a Wiki page for the CVE's related to shell shock: https://en.wikipedia.org/wiki/Shellshock_(software_bug)

Question: Can someone please summarize what to "grep" for in the logfiles, to check if the webserver has been targeted/exploited with the bash vulnerability?

EXAMPLES:

In the access log of the http server (the directory could be elsewhere, listed a few. Also access log filename could differ, ex.: "*access.log"):

cd /var/log/apache2/
cd /var/log/httpd/
cd /var/www/logs/
cd /var/log/nginx/

zgrep 'bash' access*
zgrep "};" access*
zgrep "}\s*;" access*
zgrep "() {" access*
zgrep "wget" access*
zgrep "uname -a" access*

it checks for:
- bash commands (in cgi's, etc.) – example attacks here
- the general pattern of CVE-2014-6271
- it's also not very normal to have "wget" or "uname -a" in here

From the example attacks, the IP's:

zgrep "187.0.222.86" access*
zgrep "209.126.230.72" access*
zgrep "217.14.242.115" access*
zgrep "218.216.190.234" access*
zgrep "54.251.83.67" access*
zgrep "67.227.0.77" access*
zgrep "74.201.85.77" access*
zgrep "78.60.1.101" access*
zgrep "89.207.135.125" access*

In the normal logs (the directory could be elsewhere):

cd /var/log/

zgrep 'bash' messages*
zgrep 'bash' syslog*

it checks for:
- bash segfaults/crashes – it could occur when using shell shock

If you don't want to grep for all.. the grep for "bash" – this is the most general thing to do..

Best Answer

detection might be mitigated by attackers through custom headers that are not logged (already seen this), meaning you cannot detect that stuff in logfiles

this is what i check for:

$ grep -e "() {" /var/log/nginx/*access.log

furthermore, you'll see some output from the commands in your error-log, if not suppressed, like here:

[Thu Sep 25 21:16:55 2014] [error] [client ::1] --2014-09-25 21:16:55--  http://fump.8ack.org/
[Thu Sep 25 21:16:55 2014] [error] [client ::1] Resolving fump.8ack.org (fump.8ack.org)... 
[Thu Sep 25 21:16:55 2014] [error] [client ::1] 46.4.8.254
[Thu Sep 25 21:16:55 2014] [error] [client ::1] 
[Thu Sep 25 21:16:55 2014] [error] [client ::1] Reusing existing connection to fump.8ack.de:80.
[Thu Sep 25 21:16:55 2014] [error] [client ::1] HTTP request sent, awaiting response... 
[Thu Sep 25 21:16:55 2014] [error] [client ::1] 200 OK
[Thu Sep 25 21:16:55 2014] [error] [client ::1] Length: 1631 (1.6K) [text/html]
[Thu Sep 25 21:16:55 2014] [error] [client ::1] Saving to: `STDOUT'
[Thu Sep 25 21:16:55 2014] [error] [client ::1] 
[Thu Sep 25 21:16:55 2014] [error] [client ::1]      0K .                                                     100% 8.27M=0s
[Thu Sep 25 21:16:55 2014] [error] [client ::1] 
[Thu Sep 25 21:16:55 2014] [error] [client ::1] 2014-09-25 21:16:55 (8.27 MB/s) - written to stdout [1631/1631]

Related Solutions

Linux command line best practices and tips

Use screen, a free terminal multiplexer developed by the GNU Project that will allow you to have several terminals in one.

You can start a session and your terminals will be saved even when you connection is lost, so you can resume later or from home.

Bash avoide intrpretate special characters

I don't understand what particular problem you are stuck on. Your description is really unclear. So I'll give some general advice on simplifying the script; if it's not enough to solve your problem, try to come up with a clearer explanation.

I'm pretty sure this script is much more complicated than it needs to be. Spending a few minutes browsing the documentation of a command to see if one of its options could help you can save hours of debugging. Spending a few minutes thinking about the general structure of the script can save hours of debugging.

Here are several ways in which you could have made your script simpler.

All variable substitutions should be inside double quotes, i.e., always write "$foo" and not just ~~$foo~~. You've done it sometimes, but not systematically. Always use double quotes unless you know why you do not want them in a particular case.

Here's a simpler way of writing your help function; it's called a “here document”.

function help()
{
    cat <<EOF
This script is responsible for simply recursively searching patterns
given in [INPUT FILE] in [PATH]. If pattern is not found then it is
written to [OPTIONAL OUTPUT FILE]. If [OPTIONAL OUTPUT FILE] is not
given the default [OUTPUT FILE] name is: out
Usage: $0 [INPUT FILE] [PATH TO DIRECTORY] [OPTIONAL OUTPUT FILE]
e.g. : $0 input_file /var/www/html/ output_file
or   : $0 help -> this help
EOF
}

Give your script a non-zero exit code to indicate failure:

if [ $# -lt 2 ]; then help; exit 2; fi
if [ ! -e "$in" ]; then echo "Input file: $1 does not exist"; exit 2; fi
if [ ! -d "$path" ]; then  echo "Path: $path does not exist"; exit 2; fi

Modifying the input file in is surprising, and you can combine the whitespace-only line removal with the multiple sed expressions that add a backslash before some characters.
```
<"$in" sed -e '/^ *$/d' -e 's,[-\\".],\\&,g' > "$tmp"
```
However the quoting you perform here is strange. Why are you quoting - and ", which are not special to grep, but not * and [ which are special? What is the syntax of the patterns supposed to be?

If you meant the patterns to be literal strings to look for, all this work is unnecessary (except for removing whitespace-only lines): call grep -F.
In the part that reads the lines from $tmp, you don't need the counter variable, you can just append to the array. You also need to pass the -r argument to the read built-in, so that it doesn't strip some backslashes.
```
while read -r line; do
    linesTable+=("$line")
done <"$tmp"
```
In the loop over the patterns, you store the output of grep in a variable, but all you're doing is testing if grep found a match. It would be a lot easier (and faster) to use the return code of grep for that. (I've also removed what is presumably debugging output from the loop; you don't need tee to append to a file, just use the redirection operator >>.)
```
for line in "${linesTable[@]}"; do
    grep -q -r -- "$line" "$path"
    if [ $? -ne 0 ]; then echo "$line" >>"$tmp"; fi
done
```
You don't need to free memory at the end of the script. If this was really a function that was part of a bigger script, you should declare them with the local builtin.

Here's a restructured version of the part of your script after the command line parsing. I've incorporated the local changes outlined above and used functions to make the structure clearer. Note that the clearer structure means I don't need to use a temporary file. I don't know if the resulting script does what you want, since you don't explain precisely what you want.

function extract_patterns () {
    <"$in" sed -e '/^ *$/d' -e 's,[-\\".],\\&,g'
}

function report_missing_patterns () {
  local pattern
  for pattern in "$@"; do
    grep -q -r -- "$pattern" "$path"
    if [ $? -ne 0 ]; then printf "%s\n" "$pattern"; fi
  done
}

process_patterns () {
  local patterns line
  patterns=()
  while read -r line; do
      patterns+=("$line")
  done
  report_missing_patterns "${patterns[@]}" | sort -u >"$out"
}

extract_patterns | process_patterns

Best Answer

Related Solutions

Linux command line best practices and tips

Bash avoide intrpretate special characters

Related Topic