2

I've patched my servers, but I'd also like to review my logs to see if there have been any compromises on them. Are there any consistent traces of exploits using this bug?

Improve this question
1
  • perhaps, but there is no common signature, because it is an arbitrary code execution bug. the attacker can pack whatever malicious payload they like in the environment variables they are poisoning. Better question, do you run any CGI bin scripts? otherwise you mostly need to authenticate via SSH in order to exploit, so check your logs for unexpected ssh logins.
    – Frank Thomas
    Commented Sep 25, 2014 at 20:36

1 Answer 1

Reset to default
2

I caught some hits in the logs with:

grep -r '"()' /var/log/httpd/
grep -r "'()" /var/log/httpd/
Improve this answer
1
  • 1
    To note that the paths used might differ based on your actual server, e.g. lighttpd would use /var/log/lighttpd/ instead.
    – Mario
    Commented Sep 27, 2014 at 7:37

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .