On 2014-09-26, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Fri, September 26, 2014 5:13 pm, John R Pierce wrote:
linux apache web servers with the bash exploit are getting owned en masse today. my (patched) internet web server has logged 100s and 100s of attempts like...
66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh
I feel really stupid, but I have to ask. If your server wasn't patched, it only would have owned by the above if that file exists, is executable by apache and it indeed invokes bash (say, has #!/bin/bash or whatever bash location is as first line), right? ;-)
At first glance I would agree with you, but then I would wonder, if that request wouldn't work almost anywhere, why are the skr1pt k1dd13s doing it?
--keith