Resources which will help you to understand the BASH exploit

Github

https://gist.github.com/anonymous/929d622f3b36b00c0be1 – mirror downloadBASH User Agent Script.tar

https://gist.github.com/mbulat/a49d0933c48687bcf5d7 – mirror downloadJur Bash IRC Script

BASH exploit botnets

First Shellshock botnet attacks Akamai, US DoD networks – http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx

ShellShock DHCP RCE POC

Shellshock DHCP RCE Proof of Concept – https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

As long as a bash CGI script is found by probing, exploiting only require putting a bash command in a header such as “Cookie:” for it to be executed. – Slashdot.org user Solozerk

How to check if you are being scanned for the exploit via Solozerk:

You can check if you’ve been scanned for exploitable CGIs using something like (adjust apache logs path accordingly):

grep cgi /var/log/apache2/access*|egrep “};|}\s*;”

FACTS

  • Most SOHO routers are vulnerable because of the mod_cgi web frontend (notified by Tiago Rosado)
  • Most Linux / Unix systems are vulnerable
  • It is currently being used to attack the United States DOD and Akamai

Proof of Concept on Kali Linux

Founder of Cyberwarzone.com.