Find Shellshock Exploit Attempts & Probes From the Command Line and Papertrail

Never hurts to make sure

I’ve written about Papertrail a few times before, I love the service and it’s just too valuable to not use.

Papertrail makes it super easy to find Shellshock exploit attempts and probes. Probes are just checking a machine to see if it’s vulnerable to Shellshock. If you’re using CloudFlare, you’ll never see any Shellshock attempts show up in your logs, CloudFlare doesn’t even let them through.

See If Shellshock Affects You

Checking to see if your system is vulnerable to Shellshock is quite easy. It takes a relatively simple bash command:

env x='() { :;}; echo vulnerable to shellshock' bash -c "echo All good"

Run that code in a terminal. If you see All good, you’re not vulnerable. However, if you see vulnerable to shellshock, you are potentially vulnerable.

Yahoo-WinZip-Servers-Shellshock-Bug

Shellshocker.net provides a script that will download, compile, and install the newest version of bash for you. You should only use it though if your Linux distribution hasn’t already provided updated security release packages. If you’re interested, the code that runs Shellshocker.net is available on GitHub.

Find Shellshock Attemps and Probes Via The Command Line

This is very easy as long as you know the location of your Apache access log file. It’s typically something like /var/log/apache2/access.log. Assuming that’s the location of your Apache access log file, this command will pull out all the Shellshock probes and attempts:

grep '() {' /var/log/apache2/access.log

If nothing was returned, that means nobody has been trying to exploit Shellshock on your system, or even checking to see if your system is susceptible to Shellshock. If results are returned, look them over carefully to examine where the attempts are coming from, an IP address will be associated with every attempt.

Shellshocker.net Checker

Shellshocker.net also provides a bash script to check your machines for the Shellshock vulnerability. You can download the script and run it manually from your terminal, or, if you have cURL installed, run the following command:

curl https://shellshocker.net/shellshock_test.sh | bash

Running that command will produce results similar to the screenshot seen below. It checks for a number of Shellshock related vulnerabilities.
shellshocker

Find Shellshock Attemps and Probes With Papertrail

Go to your Papertrail events tab and search for the following:
"() {"

If anything is returned, those are Shellshock probes. Some example probes are listed in the gist that’s embedded below. None of the offending IP addresses have been redacted.

These actually made it through to Papertrail, which shouldn’t happen since longren.io sits behind Cloudflare. I’ll open a support ticket with them about it and update this post later.

Just A Regular Night with WindStream DSL

I see this a lot

I pay $90 a month for 12Mbps down and 1Mbps up. It’s all I have available. I never get 1Mbps up, at least according to testmy.net. Ping responses take quite a while, no matter the geographical location of the box I’m pinging.

[email protected]:~$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=49 time=1791 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=49 time=1941 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=49 time=1523 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=49 time=2028 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=49 time=1831 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=49 time=1846 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=49 time=2147 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=49 time=2228 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=49 time=2299 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=49 time=2350 ms
64 bytes from 8.8.8.8: icmp_seq=11 ttl=49 time=2252 ms
64 bytes from 8.8.8.8: icmp_seq=12 ttl=49 time=2373 ms
64 bytes from 8.8.8.8: icmp_seq=13 ttl=49 time=2247 ms
64 bytes from 8.8.8.8: icmp_seq=14 ttl=49 time=2116 ms
64 bytes from 8.8.8.8: icmp_seq=15 ttl=49 time=2069 ms
64 bytes from 8.8.8.8: icmp_seq=16 ttl=49 time=2248 ms
64 bytes from 8.8.8.8: icmp_seq=17 ttl=49 time=2162 ms
64 bytes from 8.8.8.8: icmp_seq=18 ttl=49 time=2204 ms
64 bytes from 8.8.8.8: icmp_seq=19 ttl=49 time=2148 ms
--- 8.8.8.8 ping statistics ---
21 packets transmitted, 19 received, 9% packet loss, time 20037ms
rtt min/avg/max/mdev = 1523.625/2095.396/2373.288/214.538 ms, pipe 3

Of course, WindStream support folks have me test with speedtest.net, which hangs well below the 1Mbps mark. Until the end of the upload, when it gets faster, and then that’s what’s used as the result.

It’s not this bad all the time, but it’s bad way more often than it should be.

I actually miss Mediacom Cable.

Done Smoking for Over One Month

Just got an achievement in QuitNow Pro for Android for 800 cigarettes not smoked

It’s actually been over a month now, 40 days to be more precise.

I’ve finally stopped using my nicotine patches and don’t miss them. I simply forgot to put a new one on one day. I realized in the evening that I never changed my patch. Took it off but never put a new one on, just because I don’t really feel the need to.

I’m still around lots of folks who smoke, but it doesn’t really bother me like I thought it would.

Hoping the following weeks and months are as smooth as this last week has been. We bought a house on contract, so, having a cigarette did go through my head a few times. Not the least stressful of things to do while stopping smoking. Worked out wonderfully, though.

Done Smoking: 2 Weeks

Approaching 2 weeks without a cigarette

12 days and 19 hours without a smoke, to be more precise. I feel better than I have in a long time, my persistent smokers cough is gone, and I have noticed a definite increase in stamina in everything I do.

I still haven’t attempted going to a lower dose nicotine patch. There’s been a few mornings where I’ve forgotten to put a new patch on. On all of those occasions, I didn’t feel like I needed a cigarette, or nicotine. I just happened to see my box of patches, and it’s reminded me to put a new one on.

So, I’m thinking a lot of the nicotine dependency stuff is likely a mental crutch of some sort, I dunno, I’m not a psychologist.

I’ve actually surprised myself, too. When I stopped smoking, I didn’t really believe that it was something I could do and stick with.
The last 10+ years that I’ve been a smoker, I’ve done a lot to convince myself that quitting would be a terrible experience. It hasn’t been terrible, at all. Still, I’d love to have a cigarette. :)

This will probably be my last post on this topic for a while, at least until I’m approaching 1 month without a cigarette.

Done Smoking: Days 4 & 5

I thought it’d be harder, honestly

The urge to smoke hasn’t been as bad as I had expected. Not nearly as bad. I think I’d like to make it to two months without a cigarette, smoke one, then quit again, just to do it. Not sure the wife would go for that. In fact, I know she wouldn’t. :)

I’ve been using QuitNow Pro for Android to track my progress. It figures out roughly how much money I’m saving, how many hours of my life I’ve saved, and the total number of cigarettes I haven’t smoked that I normally would have smoked. It’s pretty cool, and there’s a TON of stop smoking apps on the Google Play Store.

I’m still using the 21mg nicotine patch, and will probably continue to do so. I toyed with the idea of stepping down to the 14mg patch early, but decided I might as well use what I have and just stick with what’s working.

At this rate, I don’t think remaining smoke free will be a problem for me. Yesterday, I had zero urges to go outside for a smoke, which was a first.

In a typical day, I’d get that urge to go outside to smoke about two or three times, and realized it was mostly after eating a meal. I was one of those people who always had to have a cigarette after eating a meal, and I think I’m finally getting past that. I hope.

Thanks for all the encouragement, everyone, it really does help. :)