On Sat, Sep 27, 2014 at 11:02 AM, Keith Keller < kkeller at wombat.san-francisco.ca.us> wrote: > On 2014-09-26, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote: > > On Fri, September 26, 2014 5:13 pm, John R Pierce wrote: > >> > >> linux apache web servers with the bash exploit are getting owned en > >> masse today. my (patched) internet web server has logged 100s and > >> 100s of attempts like... > >> > >> 66.186.2.172 - - [26/Sep/2014:00:49:29 -0700] "GET /cgi-bin/test.sh > > > > I feel really stupid, but I have to ask. If your server wasn't patched, > it > > only would have owned by the above if that file exists, is executable by > > apache and it indeed invokes bash (say, has #!/bin/bash or whatever bash > > location is as first line), right? ;-) > > At first glance I would agree with you, but then I would wonder, if that > request wouldn't work almost anywhere, why are the skr1pt k1dd13s doing > it? > Old source versions of Apache used to come with a test.sh file in the default cgi-bin directory, but those days are long gone, I suspect. Cheers, Cliff